# Flog Txt Version 1 # Analyzer Version: 2.3.2 # Analyzer Build Date: Jan 8 2019 16:19:15 # Log Creation Date: 18.01.2019 08:45:00.191 Process: id = "1" image_name = "cusersgrujaappdataroaming6xx3wi1icfwjbn6f1od~1.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cusersgrujaappdataroaming6xx3wi1icfwjbn6f1od~1.exe" page_root = "0x4e41f000" os_pid = "0x93c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e814" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 5 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 6 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 7 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 8 start_va = 0x1010000 end_va = 0x1032fff entry_point = 0x1010000 region_type = mapped_file name = "cusersgrujaappdataroaming6xx3wi1icfwjbn6f1od~1.exe" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cusersgrujaappdataroaming6xx3wi1icfwjbn6f1od~1.exe") Region: id = 9 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 10 start_va = 0x77a40000 end_va = 0x77bbffff entry_point = 0x77a40000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 11 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 12 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 13 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 14 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 15 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 16 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 17 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 150 start_va = 0x220000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 151 start_va = 0x74f80000 end_va = 0x74f87fff entry_point = 0x74f80000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 152 start_va = 0x74f90000 end_va = 0x74febfff entry_point = 0x74f90000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 153 start_va = 0x74ff0000 end_va = 0x7502efff entry_point = 0x74ff0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 154 start_va = 0x460000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 155 start_va = 0x773b0000 end_va = 0x774bffff entry_point = 0x773b0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 156 start_va = 0x775f0000 end_va = 0x77635fff entry_point = 0x775f0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 157 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x0 region_type = private name = "private_0x0000000077640000" filename = "" Region: id = 158 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x0 region_type = private name = "private_0x0000000077740000" filename = "" Region: id = 159 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 160 start_va = 0x70000 end_va = 0xd6fff entry_point = 0x70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 161 start_va = 0x751b0000 end_va = 0x7533ffff entry_point = 0x751b0000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 162 start_va = 0x75340000 end_va = 0x753c3fff entry_point = 0x75340000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 163 start_va = 0x753d0000 end_va = 0x75401fff entry_point = 0x753d0000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 164 start_va = 0x75410000 end_va = 0x7542bfff entry_point = 0x75410000 region_type = mapped_file name = "oledlg.dll" filename = "\\Windows\\SysWOW64\\oledlg.dll" (normalized: "c:\\windows\\syswow64\\oledlg.dll") Region: id = 165 start_va = 0x75430000 end_va = 0x75480fff entry_point = 0x75430000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\SysWOW64\\winspool.drv" (normalized: "c:\\windows\\syswow64\\winspool.drv") Region: id = 166 start_va = 0x75590000 end_va = 0x7559bfff entry_point = 0x75590000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 167 start_va = 0x755a0000 end_va = 0x755fffff entry_point = 0x755a0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 168 start_va = 0x75660000 end_va = 0x7570bfff entry_point = 0x75660000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 169 start_va = 0x75710000 end_va = 0x75719fff entry_point = 0x75710000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 170 start_va = 0x75a60000 end_va = 0x75a78fff entry_point = 0x75a60000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 171 start_va = 0x75a80000 end_va = 0x75b0ffff entry_point = 0x75a80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 172 start_va = 0x75b10000 end_va = 0x75bfffff entry_point = 0x75b10000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 173 start_va = 0x75cc0000 end_va = 0x76909fff entry_point = 0x75cc0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 174 start_va = 0x76e30000 end_va = 0x76f8bfff entry_point = 0x76e30000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 175 start_va = 0x76f90000 end_va = 0x7702ffff entry_point = 0x76f90000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 176 start_va = 0x771d0000 end_va = 0x772cffff entry_point = 0x771d0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 177 start_va = 0x77350000 end_va = 0x773a6fff entry_point = 0x77350000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 178 start_va = 0x77550000 end_va = 0x775ecfff entry_point = 0x77550000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 179 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 180 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 181 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 182 start_va = 0x560000 end_va = 0x6e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 183 start_va = 0x76b30000 end_va = 0x76bfbfff entry_point = 0x76b30000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 184 start_va = 0x76c00000 end_va = 0x76c5ffff entry_point = 0x76c00000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 185 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 186 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 187 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 188 start_va = 0xf0000 end_va = 0x10bfff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 189 start_va = 0x6f0000 end_va = 0x870fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 190 start_va = 0xa10000 end_va = 0xa1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 191 start_va = 0x1040000 end_va = 0x243ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 192 start_va = 0x110000 end_va = 0x121fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 193 start_va = 0x880000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 194 start_va = 0xa20000 end_va = 0xbaffff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 195 start_va = 0x880000 end_va = 0x97ffff entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 196 start_va = 0x980000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 197 start_va = 0x3e0000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 198 start_va = 0xbc0000 end_va = 0xcbffff entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 199 start_va = 0x75190000 end_va = 0x751a5fff entry_point = 0x75190000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 200 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 201 start_va = 0x170000 end_va = 0x1abfff entry_point = 0x170000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 202 start_va = 0x170000 end_va = 0x1abfff entry_point = 0x170000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 203 start_va = 0x170000 end_va = 0x1abfff entry_point = 0x170000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 204 start_va = 0x170000 end_va = 0x1abfff entry_point = 0x170000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 205 start_va = 0x170000 end_va = 0x1abfff entry_point = 0x170000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 206 start_va = 0x75150000 end_va = 0x7518afff entry_point = 0x75150000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 207 start_va = 0xcc0000 end_va = 0xf8efff entry_point = 0xcc0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 208 start_va = 0x75720000 end_va = 0x7583cfff entry_point = 0x75720000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 209 start_va = 0x75c60000 end_va = 0x75c6bfff entry_point = 0x75c60000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Thread: id = 1 os_tid = 0x940 [0020.871] GetCurrentProcess () returned 0xffffffff [0020.871] GetTickCount () returned 0x158c9 [0020.871] GetCurrentThreadId () returned 0x940 [0020.871] GetCurrentThreadId () returned 0x940 [0020.871] GetCurrentProcess () returned 0xffffffff [0020.871] GetVersion () returned 0x1db10106 [0020.871] GetVersion () returned 0x1db10106 [0020.871] GetCurrentProcess () returned 0xffffffff [0020.871] GetCurrentProcess () returned 0xffffffff [0020.871] GetTickCount () returned 0x158c9 [0020.871] GetTickCount () returned 0x158c9 [0020.871] GetTickCount () returned 0x158c9 [0020.871] GetVersion () returned 0x1db10106 [0020.872] GetTickCount () returned 0x158c9 [0020.872] GetCurrentThreadId () returned 0x940 [0020.872] GetVersion () returned 0x1db10106 [0020.872] GetTickCount () returned 0x158c9 [0020.872] GetCurrentThreadId () returned 0x940 [0020.872] GetCurrentThreadId () returned 0x940 [0020.872] GetCurrentThreadId () returned 0x940 [0020.872] GetVersion () returned 0x1db10106 [0020.872] GetTickCount () returned 0x158c9 [0020.872] GetCurrentThreadId () returned 0x940 [0020.872] GetTickCount () returned 0x158c9 [0020.872] GetCurrentThreadId () returned 0x940 [0020.872] GetCurrentThreadId () returned 0x940 [0020.872] GetVersion () returned 0x1db10106 [0020.872] GetTickCount () returned 0x158c9 [0020.872] GetTickCount () returned 0x158c9 [0020.872] GetCurrentThreadId () returned 0x940 [0020.872] VirtualAlloc (lpAddress=0x0, dwSize=0x1c000, flAllocationType=0x1000, flProtect=0x40) returned 0xf0000 [0021.064] VirtualAlloc (lpAddress=0x0, dwSize=0x11a00, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0023.544] VirtualProtect (in: lpAddress=0x1010000, dwSize=0x1c000, flNewProtect=0x40, lpflOldProtect=0x10a0b8 | out: lpflOldProtect=0x10a0b8*=0x2) returned 1 [0023.546] VirtualProtect (in: lpAddress=0x1010000, dwSize=0x400, flNewProtect=0x2, lpflOldProtect=0x10a0b8 | out: lpflOldProtect=0x10a0b8*=0x40) returned 1 [0023.546] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x773b0000 [0023.546] GetProcAddress (hModule=0x773b0000, lpProcName="OutputDebugStringA") returned 0x773eb2b7 [0023.546] GetProcAddress (hModule=0x773b0000, lpProcName="HeapValidate") returned 0x773db17b [0023.557] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3af304, nSize=0x1000 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cusersgrujaappdataroaming6xx3wi1icfwjbn6f1od~1.exe")) returned 0x58 [0023.557] GetVersionExW (in: lpVersionInformation=0x3af9a4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x3af9a4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0023.558] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x3af990 | out: Wow64Process=0x3af990) returned 1 [0023.558] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3af96c | out: TokenHandle=0x3af96c*=0xbc) returned 1 [0023.558] GetTokenInformation (in: TokenHandle=0xbc, TokenInformationClass=0x2, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x3af968 | out: TokenInformation=0x0, ReturnLength=0x3af968) returned 0 [0023.558] GetLastError () returned 0x7a [0023.558] GetTokenInformation (in: TokenHandle=0xbc, TokenInformationClass=0x2, TokenInformation=0xba1080, TokenInformationLength=0x118, ReturnLength=0x3af968 | out: TokenInformation=0xba1080, ReturnLength=0x3af968) returned 1 [0023.558] AllocateAndInitializeSid (in: pIdentifierAuthority=0x3af978, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x3af970 | out: pSid=0x3af970*=0x4718a8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0023.558] EqualSid (pSid1=0x4718a8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xba10e4*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25))) returned 0 [0023.558] EqualSid (pSid1=0x4718a8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xba1100*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0 [0023.558] EqualSid (pSid1=0x4718a8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xba110c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0023.558] NtClose (Handle=0xbc) returned 0x0 [0023.558] RtlQueryElevationFlags () returned 0x0 [0023.574] SHRegDuplicateHKey (hkey=0x80000002) returned 0x80000002 [0023.574] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x0, lpName=0xbab970, cchName=0x104 | out: lpName="BCD00000000") returned 0x0 [0023.575] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bcd00000000", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.575] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bcd00000000", cchWideChar=11, lpMultiByteStr=0xbabc80, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bcd00000000", lpUsedDefaultChar=0x0) returned 11 [0023.575] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x1, lpName=0xbab970, cchName=0x104 | out: lpName="HARDWARE") returned 0x0 [0023.575] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hardware", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.575] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hardware", cchWideChar=8, lpMultiByteStr=0xbabce0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hardware", lpUsedDefaultChar=0x0) returned 8 [0023.575] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x2, lpName=0xbab970, cchName=0x104 | out: lpName="SAM") returned 0x0 [0023.575] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sam", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.575] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sam", cchWideChar=3, lpMultiByteStr=0xbabd28, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sam", lpUsedDefaultChar=0x0) returned 3 [0023.575] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x3, lpName=0xbab970, cchName=0x104 | out: lpName="SECURITY") returned 0x0 [0023.576] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.576] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security", cchWideChar=8, lpMultiByteStr=0xbabce0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="security", lpUsedDefaultChar=0x0) returned 8 [0023.576] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x4, lpName=0xbab970, cchName=0x104 | out: lpName="SOFTWARE") returned 0x0 [0023.576] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.576] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0xbabd28, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="software", lpUsedDefaultChar=0x0) returned 8 [0023.576] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE", ulOptions=0x0, samDesired=0x20109, phkResult=0x3af8ec | out: phkResult=0x3af8ec*=0xbc) returned 0x0 [0023.576] RegCloseKey (hKey=0x80000002) returned 0x0 [0023.576] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x0, lpName=0xbab970, cchName=0x104 | out: lpName="ATI Technologies") returned 0x0 [0023.576] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ati technologies", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0023.576] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ati technologies", cchWideChar=16, lpMultiByteStr=0xbac160, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ati technologies", lpUsedDefaultChar=0x0) returned 16 [0023.576] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x1, lpName=0xbab970, cchName=0x104 | out: lpName="CBSTEST") returned 0x0 [0023.577] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cbstest", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.577] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cbstest", cchWideChar=7, lpMultiByteStr=0xbac1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cbstest", lpUsedDefaultChar=0x0) returned 7 [0023.577] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x2, lpName=0xbab970, cchName=0x104 | out: lpName="Classes") returned 0x0 [0023.577] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="classes", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.577] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="classes", cchWideChar=7, lpMultiByteStr=0xbac160, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="classes", lpUsedDefaultChar=0x0) returned 7 [0023.577] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x3, lpName=0xbab970, cchName=0x104 | out: lpName="Clients") returned 0x0 [0023.577] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clients", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.577] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clients", cchWideChar=7, lpMultiByteStr=0xbac1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clients", lpUsedDefaultChar=0x0) returned 7 [0023.577] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x4, lpName=0xbab970, cchName=0x104 | out: lpName="Intel") returned 0x0 [0023.577] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="intel", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0023.577] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="intel", cchWideChar=5, lpMultiByteStr=0xbac160, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="intel", lpUsedDefaultChar=0x0) returned 5 [0023.577] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x5, lpName=0xbab970, cchName=0x104 | out: lpName="Macromedia") returned 0x0 [0023.577] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="macromedia", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.577] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="macromedia", cchWideChar=10, lpMultiByteStr=0xbac1a8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="macromedia", lpUsedDefaultChar=0x0) returned 10 [0023.578] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x6, lpName=0xbab970, cchName=0x104 | out: lpName="Microsoft") returned 0x0 [0023.578] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0023.578] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft", cchWideChar=9, lpMultiByteStr=0xbac160, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft", lpUsedDefaultChar=0x0) returned 9 [0023.578] RegOpenKeyExW (in: hKey=0xbc, lpSubKey="Microsoft", ulOptions=0x0, samDesired=0x20109, phkResult=0x3af8ec | out: phkResult=0x3af8ec*=0x3c) returned 0x0 [0023.578] RegCloseKey (hKey=0xbc) returned 0x0 [0023.578] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x0, lpName=0xbab970, cchName=0x104 | out: lpName=".NETFramework") returned 0x0 [0023.578] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".netframework", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0023.578] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".netframework", cchWideChar=13, lpMultiByteStr=0xbac1a8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".netframework", lpUsedDefaultChar=0x0) returned 13 [0023.578] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1, lpName=0xbab970, cchName=0x104 | out: lpName="Active Setup") returned 0x0 [0023.578] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="active setup", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.578] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="active setup", cchWideChar=12, lpMultiByteStr=0xbac160, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="active setup", lpUsedDefaultChar=0x0) returned 12 [0023.578] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2, lpName=0xbab970, cchName=0x104 | out: lpName="ADs") returned 0x0 [0023.578] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ads", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.578] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ads", cchWideChar=3, lpMultiByteStr=0xbac1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ads", lpUsedDefaultChar=0x0) returned 3 [0023.578] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3, lpName=0xbab970, cchName=0x104 | out: lpName="Advanced INF Setup") returned 0x0 [0023.578] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="advanced inf setup", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0023.578] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="advanced inf setup", cchWideChar=18, lpMultiByteStr=0xbac160, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="advanced inf setup", lpUsedDefaultChar=0x0) returned 18 [0023.579] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4, lpName=0xbab970, cchName=0x104 | out: lpName="ALG") returned 0x0 [0023.579] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.579] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg", cchWideChar=3, lpMultiByteStr=0xbac1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="alg", lpUsedDefaultChar=0x0) returned 3 [0023.579] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5, lpName=0xbab970, cchName=0x104 | out: lpName="ASP.NET") returned 0x0 [0023.579] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="asp.net", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.579] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="asp.net", cchWideChar=7, lpMultiByteStr=0xbac160, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="asp.net", lpUsedDefaultChar=0x0) returned 7 [0023.579] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6, lpName=0xbab970, cchName=0x104 | out: lpName="Assistance") returned 0x0 [0023.579] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="assistance", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.579] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="assistance", cchWideChar=10, lpMultiByteStr=0xbac1a8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="assistance", lpUsedDefaultChar=0x0) returned 10 [0023.579] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7, lpName=0xbab970, cchName=0x104 | out: lpName="BidInterface") returned 0x0 [0023.579] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bidinterface", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.579] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bidinterface", cchWideChar=12, lpMultiByteStr=0xbac160, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bidinterface", lpUsedDefaultChar=0x0) returned 12 [0023.580] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x8, lpName=0xbab970, cchName=0x104 | out: lpName="COM3") returned 0x0 [0023.580] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="com3", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0023.580] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="com3", cchWideChar=4, lpMultiByteStr=0xbac1a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="com3", lpUsedDefaultChar=0x0) returned 4 [0023.580] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x9, lpName=0xbab970, cchName=0x104 | out: lpName="Command Processor") returned 0x0 [0023.580] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="command processor", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0023.580] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="command processor", cchWideChar=17, lpMultiByteStr=0xbac160, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="command processor", lpUsedDefaultChar=0x0) returned 17 [0023.580] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xa, lpName=0xbab970, cchName=0x104 | out: lpName="Connect to a Network Projector") returned 0x0 [0023.580] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connect to a network projector", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0023.580] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connect to a network projector", cchWideChar=30, lpMultiByteStr=0xbac1a8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="connect to a network projector", lpUsedDefaultChar=0x0) returned 30 [0023.580] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xb, lpName=0xbab970, cchName=0x104 | out: lpName="Cryptography") returned 0x0 [0023.580] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cryptography", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.580] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cryptography", cchWideChar=12, lpMultiByteStr=0xbac160, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cryptography", lpUsedDefaultChar=0x0) returned 12 [0023.580] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xc, lpName=0xbab970, cchName=0x104 | out: lpName="CTF") returned 0x0 [0023.580] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ctf", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.580] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ctf", cchWideChar=3, lpMultiByteStr=0xbac1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ctf", lpUsedDefaultChar=0x0) returned 3 [0023.581] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xd, lpName=0xbab970, cchName=0x104 | out: lpName="DataAccess") returned 0x0 [0023.581] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dataaccess", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.581] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dataaccess", cchWideChar=10, lpMultiByteStr=0xbac160, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dataaccess", lpUsedDefaultChar=0x0) returned 10 [0023.581] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xe, lpName=0xbab970, cchName=0x104 | out: lpName="DataFactory") returned 0x0 [0023.581] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="datafactory", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.581] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="datafactory", cchWideChar=11, lpMultiByteStr=0xbac1a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="datafactory", lpUsedDefaultChar=0x0) returned 11 [0023.581] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xf, lpName=0xbab970, cchName=0x104 | out: lpName="DevDiv") returned 0x0 [0023.581] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="devdiv", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0023.581] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="devdiv", cchWideChar=6, lpMultiByteStr=0xbac160, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="devdiv", lpUsedDefaultChar=0x0) returned 6 [0023.581] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x10, lpName=0xbab970, cchName=0x104 | out: lpName="Dfrg") returned 0x0 [0023.581] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfrg", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0023.581] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfrg", cchWideChar=4, lpMultiByteStr=0xbac1a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dfrg", lpUsedDefaultChar=0x0) returned 4 [0023.581] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x11, lpName=0xbab970, cchName=0x104 | out: lpName="DFS") returned 0x0 [0023.581] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfs", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.581] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfs", cchWideChar=3, lpMultiByteStr=0xbac160, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dfs", lpUsedDefaultChar=0x0) returned 3 [0023.582] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x12, lpName=0xbab970, cchName=0x104 | out: lpName="DirectDraw") returned 0x0 [0023.582] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directdraw", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.582] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directdraw", cchWideChar=10, lpMultiByteStr=0xbac1a8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directdraw", lpUsedDefaultChar=0x0) returned 10 [0023.582] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x13, lpName=0xbab970, cchName=0x104 | out: lpName="DirectInput") returned 0x0 [0023.582] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directinput", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.582] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directinput", cchWideChar=11, lpMultiByteStr=0xbac160, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directinput", lpUsedDefaultChar=0x0) returned 11 [0023.582] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x14, lpName=0xbab970, cchName=0x104 | out: lpName="DirectMusic") returned 0x0 [0023.582] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directmusic", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.582] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directmusic", cchWideChar=11, lpMultiByteStr=0xbac1a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directmusic", lpUsedDefaultChar=0x0) returned 11 [0023.582] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x15, lpName=0xbab970, cchName=0x104 | out: lpName="DirectPlay8") returned 0x0 [0023.582] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directplay8", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.582] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directplay8", cchWideChar=11, lpMultiByteStr=0xbac160, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directplay8", lpUsedDefaultChar=0x0) returned 11 [0023.582] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x16, lpName=0xbab970, cchName=0x104 | out: lpName="DirectPlayNATHelp") returned 0x0 [0023.582] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directplaynathelp", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0023.582] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directplaynathelp", cchWideChar=17, lpMultiByteStr=0xbac1a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directplaynathelp", lpUsedDefaultChar=0x0) returned 17 [0023.583] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x17, lpName=0xbab970, cchName=0x104 | out: lpName="DirectShow") returned 0x0 [0023.583] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directshow", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.583] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directshow", cchWideChar=10, lpMultiByteStr=0xbac160, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directshow", lpUsedDefaultChar=0x0) returned 10 [0023.583] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x18, lpName=0xbab970, cchName=0x104 | out: lpName="DirectX") returned 0x0 [0023.583] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directx", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.583] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directx", cchWideChar=7, lpMultiByteStr=0xbac1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directx", lpUsedDefaultChar=0x0) returned 7 [0023.583] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x19, lpName=0xbab970, cchName=0x104 | out: lpName="Driver Signing") returned 0x0 [0023.583] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="driver signing", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0023.583] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="driver signing", cchWideChar=14, lpMultiByteStr=0xbac160, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="driver signing", lpUsedDefaultChar=0x0) returned 14 [0023.583] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1a, lpName=0xbab970, cchName=0x104 | out: lpName="DRM") returned 0x0 [0023.583] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="drm", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.583] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="drm", cchWideChar=3, lpMultiByteStr=0xbac1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="drm", lpUsedDefaultChar=0x0) returned 3 [0023.583] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1b, lpName=0xbab970, cchName=0x104 | out: lpName="DVR") returned 0x0 [0023.583] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dvr", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.584] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dvr", cchWideChar=3, lpMultiByteStr=0xbac160, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dvr", lpUsedDefaultChar=0x0) returned 3 [0023.584] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1c, lpName=0xbab970, cchName=0x104 | out: lpName="DXP") returned 0x0 [0023.584] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dxp", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.584] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dxp", cchWideChar=3, lpMultiByteStr=0xbac1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dxp", lpUsedDefaultChar=0x0) returned 3 [0023.584] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1d, lpName=0xbab970, cchName=0x104 | out: lpName="EnterpriseCertificates") returned 0x0 [0023.584] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="enterprisecertificates", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0023.584] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="enterprisecertificates", cchWideChar=22, lpMultiByteStr=0xbac160, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="enterprisecertificates", lpUsedDefaultChar=0x0) returned 22 [0023.584] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1e, lpName=0xbab970, cchName=0x104 | out: lpName="EventSystem") returned 0x0 [0023.584] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventsystem", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.584] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventsystem", cchWideChar=11, lpMultiByteStr=0xbac1a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eventsystem", lpUsedDefaultChar=0x0) returned 11 [0023.584] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1f, lpName=0xbab970, cchName=0x104 | out: lpName="Exchange") returned 0x0 [0023.584] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="exchange", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.584] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="exchange", cchWideChar=8, lpMultiByteStr=0xbac160, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="exchange", lpUsedDefaultChar=0x0) returned 8 [0023.584] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x20, lpName=0xbab970, cchName=0x104 | out: lpName="Fax") returned 0x0 [0023.584] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fax", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.585] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fax", cchWideChar=3, lpMultiByteStr=0xbac1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fax", lpUsedDefaultChar=0x0) returned 3 [0023.585] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x21, lpName=0xbab970, cchName=0x104 | out: lpName="Feeds") returned 0x0 [0023.585] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="feeds", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0023.585] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="feeds", cchWideChar=5, lpMultiByteStr=0xbac160, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="feeds", lpUsedDefaultChar=0x0) returned 5 [0023.585] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x22, lpName=0xbab970, cchName=0x104 | out: lpName="FlashConfig") returned 0x0 [0023.585] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="flashconfig", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.585] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="flashconfig", cchWideChar=11, lpMultiByteStr=0xbac1a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="flashconfig", lpUsedDefaultChar=0x0) returned 11 [0023.585] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x23, lpName=0xbab970, cchName=0x104 | out: lpName="FTH") returned 0x0 [0023.585] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fth", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.585] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fth", cchWideChar=3, lpMultiByteStr=0xbac160, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fth", lpUsedDefaultChar=0x0) returned 3 [0023.585] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x24, lpName=0xbab970, cchName=0x104 | out: lpName="Function Discovery") returned 0x0 [0023.585] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="function discovery", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0023.585] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="function discovery", cchWideChar=18, lpMultiByteStr=0xbac1a8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="function discovery", lpUsedDefaultChar=0x0) returned 18 [0023.585] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x25, lpName=0xbab970, cchName=0x104 | out: lpName="Fusion") returned 0x0 [0023.585] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fusion", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0023.586] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fusion", cchWideChar=6, lpMultiByteStr=0xbac160, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fusion", lpUsedDefaultChar=0x0) returned 6 [0023.586] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x26, lpName=0xbab970, cchName=0x104 | out: lpName="GPUPipeline") returned 0x0 [0023.586] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gpupipeline", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.586] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gpupipeline", cchWideChar=11, lpMultiByteStr=0xbac1a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gpupipeline", lpUsedDefaultChar=0x0) returned 11 [0023.586] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x27, lpName=0xbab970, cchName=0x104 | out: lpName="HTMLHelp") returned 0x0 [0023.586] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="htmlhelp", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.586] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="htmlhelp", cchWideChar=8, lpMultiByteStr=0xbac160, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="htmlhelp", lpUsedDefaultChar=0x0) returned 8 [0023.586] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x28, lpName=0xbab970, cchName=0x104 | out: lpName="IdentityCRL") returned 0x0 [0023.586] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identitycrl", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.586] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identitycrl", cchWideChar=11, lpMultiByteStr=0xbac1a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="identitycrl", lpUsedDefaultChar=0x0) returned 11 [0023.586] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x29, lpName=0xbab970, cchName=0x104 | out: lpName="IdentityStore") returned 0x0 [0023.586] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identitystore", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0023.586] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identitystore", cchWideChar=13, lpMultiByteStr=0xbac160, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="identitystore", lpUsedDefaultChar=0x0) returned 13 [0023.586] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2a, lpName=0xbab970, cchName=0x104 | out: lpName="IMAPI") returned 0x0 [0023.586] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imapi", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0023.587] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imapi", cchWideChar=5, lpMultiByteStr=0xbac1a8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imapi", lpUsedDefaultChar=0x0) returned 5 [0023.587] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2b, lpName=0xbab970, cchName=0x104 | out: lpName="IMEJP") returned 0x0 [0023.587] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imejp", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0023.587] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imejp", cchWideChar=5, lpMultiByteStr=0xbac160, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imejp", lpUsedDefaultChar=0x0) returned 5 [0023.587] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2c, lpName=0xbab970, cchName=0x104 | out: lpName="IMEKR") returned 0x0 [0023.587] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imekr", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0023.587] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imekr", cchWideChar=5, lpMultiByteStr=0xbac1a8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imekr", lpUsedDefaultChar=0x0) returned 5 [0023.587] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2d, lpName=0xbab970, cchName=0x104 | out: lpName="IMETC") returned 0x0 [0023.587] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imetc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0023.587] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imetc", cchWideChar=5, lpMultiByteStr=0xbac160, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imetc", lpUsedDefaultChar=0x0) returned 5 [0023.587] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2e, lpName=0xbab970, cchName=0x104 | out: lpName="Internet Account Manager") returned 0x0 [0023.587] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet account manager", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0023.587] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet account manager", cchWideChar=24, lpMultiByteStr=0xbac1a8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet account manager", lpUsedDefaultChar=0x0) returned 24 [0023.587] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2f, lpName=0xbab970, cchName=0x104 | out: lpName="Internet Domains") returned 0x0 [0023.588] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet domains", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0023.588] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet domains", cchWideChar=16, lpMultiByteStr=0xbac160, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet domains", lpUsedDefaultChar=0x0) returned 16 [0023.588] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x30, lpName=0xbab970, cchName=0x104 | out: lpName="Internet Explorer") returned 0x0 [0023.588] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet explorer", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0023.588] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet explorer", cchWideChar=17, lpMultiByteStr=0xbac1a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet explorer", lpUsedDefaultChar=0x0) returned 17 [0023.588] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x31, lpName=0xbab970, cchName=0x104 | out: lpName="IsoBurn") returned 0x0 [0023.588] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="isoburn", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.588] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="isoburn", cchWideChar=7, lpMultiByteStr=0xbac160, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isoburn", lpUsedDefaultChar=0x0) returned 7 [0023.588] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x32, lpName=0xbab970, cchName=0x104 | out: lpName="Loki") returned 0x0 [0023.588] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="loki", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0023.588] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="loki", cchWideChar=4, lpMultiByteStr=0xbac1a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="loki", lpUsedDefaultChar=0x0) returned 4 [0023.588] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x33, lpName=0xbab970, cchName=0x104 | out: lpName="MediaCenterPeripheral") returned 0x0 [0023.588] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mediacenterperipheral", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0023.588] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mediacenterperipheral", cchWideChar=21, lpMultiByteStr=0xbac160, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mediacenterperipheral", lpUsedDefaultChar=0x0) returned 21 [0023.588] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x34, lpName=0xbab970, cchName=0x104 | out: lpName="MediaPlayer") returned 0x0 [0023.589] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mediaplayer", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.589] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mediaplayer", cchWideChar=11, lpMultiByteStr=0xbac1a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mediaplayer", lpUsedDefaultChar=0x0) returned 11 [0023.589] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x35, lpName=0xbab970, cchName=0x104 | out: lpName="MessengerService") returned 0x0 [0023.589] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="messengerservice", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0023.589] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="messengerservice", cchWideChar=16, lpMultiByteStr=0xbac160, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messengerservice", lpUsedDefaultChar=0x0) returned 16 [0023.589] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x36, lpName=0xbab970, cchName=0x104 | out: lpName="Microsoft Reference") returned 0x0 [0023.589] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft reference", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0023.589] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft reference", cchWideChar=19, lpMultiByteStr=0xbac1a8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft reference", lpUsedDefaultChar=0x0) returned 19 [0023.589] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x37, lpName=0xbab970, cchName=0x104 | out: lpName="Microsoft SQL Server Compact Edition") returned 0x0 [0023.589] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft sql server compact edition", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0023.589] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft sql server compact edition", cchWideChar=36, lpMultiByteStr=0xbac160, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft sql server compact edition", lpUsedDefaultChar=0x0) returned 36 [0023.589] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x38, lpName=0xbab970, cchName=0x104 | out: lpName="MigWiz") returned 0x0 [0023.589] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="migwiz", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0023.589] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="migwiz", cchWideChar=6, lpMultiByteStr=0xbac1a8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="migwiz", lpUsedDefaultChar=0x0) returned 6 [0023.589] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x39, lpName=0xbab970, cchName=0x104 | out: lpName="MMC") returned 0x0 [0023.589] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmc", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.589] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmc", cchWideChar=3, lpMultiByteStr=0xbac160, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mmc", lpUsedDefaultChar=0x0) returned 3 [0023.590] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3a, lpName=0xbab970, cchName=0x104 | out: lpName="Mobile") returned 0x0 [0023.590] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mobile", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0023.590] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mobile", cchWideChar=6, lpMultiByteStr=0xbac1a8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mobile", lpUsedDefaultChar=0x0) returned 6 [0023.590] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3b, lpName=0xbab970, cchName=0x104 | out: lpName="MSBuild") returned 0x0 [0023.590] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msbuild", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.590] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msbuild", cchWideChar=7, lpMultiByteStr=0xbac160, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msbuild", lpUsedDefaultChar=0x0) returned 7 [0023.590] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3c, lpName=0xbab970, cchName=0x104 | out: lpName="MSDE") returned 0x0 [0023.590] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msde", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0023.590] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msde", cchWideChar=4, lpMultiByteStr=0xbac1a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msde", lpUsedDefaultChar=0x0) returned 4 [0023.590] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3d, lpName=0xbab970, cchName=0x104 | out: lpName="MSDTC") returned 0x0 [0023.590] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0023.590] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc", cchWideChar=5, lpMultiByteStr=0xbac160, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdtc", lpUsedDefaultChar=0x0) returned 5 [0023.590] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3e, lpName=0xbab970, cchName=0x104 | out: lpName="MSF") returned 0x0 [0023.590] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msf", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.590] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msf", cchWideChar=3, lpMultiByteStr=0xbac1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msf", lpUsedDefaultChar=0x0) returned 3 [0023.590] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3f, lpName=0xbab970, cchName=0x104 | out: lpName="MSLicensing") returned 0x0 [0023.591] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mslicensing", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.591] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mslicensing", cchWideChar=11, lpMultiByteStr=0xbac160, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mslicensing", lpUsedDefaultChar=0x0) returned 11 [0023.591] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x40, lpName=0xbab970, cchName=0x104 | out: lpName="MSMQ") returned 0x0 [0023.591] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msmq", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0023.591] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msmq", cchWideChar=4, lpMultiByteStr=0xbac1a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msmq", lpUsedDefaultChar=0x0) returned 4 [0023.591] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x41, lpName=0xbab970, cchName=0x104 | out: lpName="MSN Apps") returned 0x0 [0023.591] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msn apps", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.591] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msn apps", cchWideChar=8, lpMultiByteStr=0xbac160, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msn apps", lpUsedDefaultChar=0x0) returned 8 [0023.591] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x42, lpName=0xbab970, cchName=0x104 | out: lpName="MSOSOAP") returned 0x0 [0023.591] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msosoap", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.591] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msosoap", cchWideChar=7, lpMultiByteStr=0xbac1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msosoap", lpUsedDefaultChar=0x0) returned 7 [0023.591] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x43, lpName=0xbab970, cchName=0x104 | out: lpName="MSSearch36") returned 0x0 [0023.591] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssearch36", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.591] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssearch36", cchWideChar=10, lpMultiByteStr=0xbac160, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mssearch36", lpUsedDefaultChar=0x0) returned 10 [0023.591] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x44, lpName=0xbab970, cchName=0x104 | out: lpName="MSSQLServer") returned 0x0 [0023.591] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssqlserver", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.591] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssqlserver", cchWideChar=11, lpMultiByteStr=0xbac1a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mssqlserver", lpUsedDefaultChar=0x0) returned 11 [0023.592] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x45, lpName=0xbab970, cchName=0x104 | out: lpName="Multimedia") returned 0x0 [0023.592] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="multimedia", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.592] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="multimedia", cchWideChar=10, lpMultiByteStr=0xbac160, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="multimedia", lpUsedDefaultChar=0x0) returned 10 [0023.592] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x46, lpName=0xbab970, cchName=0x104 | out: lpName="NapServer") returned 0x0 [0023.592] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="napserver", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0023.592] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="napserver", cchWideChar=9, lpMultiByteStr=0xbac1a8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="napserver", lpUsedDefaultChar=0x0) returned 9 [0023.592] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x47, lpName=0xbab970, cchName=0x104 | out: lpName="NET Framework Setup") returned 0x0 [0023.592] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="net framework setup", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0023.592] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="net framework setup", cchWideChar=19, lpMultiByteStr=0xbac160, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="net framework setup", lpUsedDefaultChar=0x0) returned 19 [0023.592] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x48, lpName=0xbab970, cchName=0x104 | out: lpName="NetSh") returned 0x0 [0023.592] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netsh", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0023.592] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netsh", cchWideChar=5, lpMultiByteStr=0xbac1a8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netsh", lpUsedDefaultChar=0x0) returned 5 [0023.592] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x49, lpName=0xbab970, cchName=0x104 | out: lpName="Network") returned 0x0 [0023.592] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="network", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.592] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="network", cchWideChar=7, lpMultiByteStr=0xbac160, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="network", lpUsedDefaultChar=0x0) returned 7 [0023.592] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4a, lpName=0xbab970, cchName=0x104 | out: lpName="NetworkAccessProtection") returned 0x0 [0023.592] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="networkaccessprotection", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0023.592] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="networkaccessprotection", cchWideChar=23, lpMultiByteStr=0xbac1a8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="networkaccessprotection", lpUsedDefaultChar=0x0) returned 23 [0023.592] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4b, lpName=0xbab970, cchName=0x104 | out: lpName="Non-Driver Signing") returned 0x0 [0023.592] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="non-driver signing", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0023.592] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="non-driver signing", cchWideChar=18, lpMultiByteStr=0xbac160, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="non-driver signing", lpUsedDefaultChar=0x0) returned 18 [0023.592] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4c, lpName=0xbab970, cchName=0x104 | out: lpName="Notepad") returned 0x0 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="notepad", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="notepad", cchWideChar=7, lpMultiByteStr=0xbac1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="notepad", lpUsedDefaultChar=0x0) returned 7 [0023.593] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4d, lpName=0xbab970, cchName=0x104 | out: lpName="ODBC") returned 0x0 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="odbc", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="odbc", cchWideChar=4, lpMultiByteStr=0xbac160, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="odbc", lpUsedDefaultChar=0x0) returned 4 [0023.593] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4e, lpName=0xbab970, cchName=0x104 | out: lpName="Office") returned 0x0 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="office", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="office", cchWideChar=6, lpMultiByteStr=0xbac1a8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="office", lpUsedDefaultChar=0x0) returned 6 [0023.593] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4f, lpName=0xbab970, cchName=0x104 | out: lpName="OfficeSoftwareProtectionPlatform") returned 0x0 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="officesoftwareprotectionplatform", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="officesoftwareprotectionplatform", cchWideChar=32, lpMultiByteStr=0xbac160, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="officesoftwareprotectionplatform", lpUsedDefaultChar=0x0) returned 32 [0023.593] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x50, lpName=0xbab970, cchName=0x104 | out: lpName="Ole") returned 0x0 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ole", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ole", cchWideChar=3, lpMultiByteStr=0xbac1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ole", lpUsedDefaultChar=0x0) returned 3 [0023.593] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x51, lpName=0xbab970, cchName=0x104 | out: lpName="Outlook Express") returned 0x0 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="outlook express", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="outlook express", cchWideChar=15, lpMultiByteStr=0xbac160, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="outlook express", lpUsedDefaultChar=0x0) returned 15 [0023.593] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x52, lpName=0xbab970, cchName=0x104 | out: lpName="PLA") returned 0x0 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pla", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pla", cchWideChar=3, lpMultiByteStr=0xbac1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pla", lpUsedDefaultChar=0x0) returned 3 [0023.593] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x53, lpName=0xbab970, cchName=0x104 | out: lpName="PowerShell") returned 0x0 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="powershell", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="powershell", cchWideChar=10, lpMultiByteStr=0xbac160, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="powershell", lpUsedDefaultChar=0x0) returned 10 [0023.593] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x54, lpName=0xbab970, cchName=0x104 | out: lpName="Print") returned 0x0 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="print", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="print", cchWideChar=5, lpMultiByteStr=0xbac1a8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="print", lpUsedDefaultChar=0x0) returned 5 [0023.593] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x55, lpName=0xbab970, cchName=0x104 | out: lpName="RADAR") returned 0x0 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="radar", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0023.593] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="radar", cchWideChar=5, lpMultiByteStr=0xbac160, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="radar", lpUsedDefaultChar=0x0) returned 5 [0023.594] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x56, lpName=0xbab970, cchName=0x104 | out: lpName="Ras") returned 0x0 [0023.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ras", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ras", cchWideChar=3, lpMultiByteStr=0xbac1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ras", lpUsedDefaultChar=0x0) returned 3 [0023.594] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x57, lpName=0xbab970, cchName=0x104 | out: lpName="RAS AutoDial") returned 0x0 [0023.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ras autodial", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ras autodial", cchWideChar=12, lpMultiByteStr=0xbac160, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ras autodial", lpUsedDefaultChar=0x0) returned 12 [0023.594] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x58, lpName=0xbab970, cchName=0x104 | out: lpName="Reliability Analysis") returned 0x0 [0023.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="reliability analysis", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0023.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="reliability analysis", cchWideChar=20, lpMultiByteStr=0xbac1a8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="reliability analysis", lpUsedDefaultChar=0x0) returned 20 [0023.594] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x59, lpName=0xbab970, cchName=0x104 | out: lpName="RemovalTools") returned 0x0 [0023.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="removaltools", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="removaltools", cchWideChar=12, lpMultiByteStr=0xbac160, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="removaltools", lpUsedDefaultChar=0x0) returned 12 [0023.594] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5a, lpName=0xbab970, cchName=0x104 | out: lpName="RendezvousApps") returned 0x0 [0023.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rendezvousapps", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0023.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rendezvousapps", cchWideChar=14, lpMultiByteStr=0xbac1a8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rendezvousapps", lpUsedDefaultChar=0x0) returned 14 [0023.594] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5b, lpName=0xbab970, cchName=0x104 | out: lpName="Router") returned 0x0 [0023.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="router", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0023.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="router", cchWideChar=6, lpMultiByteStr=0xbac160, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="router", lpUsedDefaultChar=0x0) returned 6 [0023.594] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5c, lpName=0xbab970, cchName=0x104 | out: lpName="Rpc") returned 0x0 [0023.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpc", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpc", cchWideChar=3, lpMultiByteStr=0xbac1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rpc", lpUsedDefaultChar=0x0) returned 3 [0023.594] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5d, lpName=0xbab970, cchName=0x104 | out: lpName="SchedulingAgent") returned 0x0 [0023.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="schedulingagent", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0023.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="schedulingagent", cchWideChar=15, lpMultiByteStr=0xbac160, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="schedulingagent", lpUsedDefaultChar=0x0) returned 15 [0023.594] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5e, lpName=0xbab970, cchName=0x104 | out: lpName="Schema Library") returned 0x0 [0023.594] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="schema library", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0023.595] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="schema library", cchWideChar=14, lpMultiByteStr=0xbac1a8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="schema library", lpUsedDefaultChar=0x0) returned 14 [0023.595] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5f, lpName=0xbab970, cchName=0x104 | out: lpName="Security Center") returned 0x0 [0023.595] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security center", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0023.595] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security center", cchWideChar=15, lpMultiByteStr=0xbac160, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="security center", lpUsedDefaultChar=0x0) returned 15 [0023.595] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x60, lpName=0xbab970, cchName=0x104 | out: lpName="Sensors") returned 0x0 [0023.595] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sensors", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.595] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sensors", cchWideChar=7, lpMultiByteStr=0xbac1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sensors", lpUsedDefaultChar=0x0) returned 7 [0023.595] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x61, lpName=0xbab970, cchName=0x104 | out: lpName="Shared") returned 0x0 [0023.595] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0023.595] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared", cchWideChar=6, lpMultiByteStr=0xbac160, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="shared", lpUsedDefaultChar=0x0) returned 6 [0023.595] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x62, lpName=0xbab970, cchName=0x104 | out: lpName="Shared Tools") returned 0x0 [0023.595] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared tools", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.595] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared tools", cchWideChar=12, lpMultiByteStr=0xbac1a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="shared tools", lpUsedDefaultChar=0x0) returned 12 [0023.595] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x63, lpName=0xbab970, cchName=0x104 | out: lpName="Shared Tools Location") returned 0x0 [0023.595] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared tools location", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0023.595] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared tools location", cchWideChar=21, lpMultiByteStr=0xbac160, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="shared tools location", lpUsedDefaultChar=0x0) returned 21 [0023.595] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x64, lpName=0xbab970, cchName=0x104 | out: lpName="SideShow") returned 0x0 [0023.595] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sideshow", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.595] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sideshow", cchWideChar=8, lpMultiByteStr=0xbac1a8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sideshow", lpUsedDefaultChar=0x0) returned 8 [0023.595] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x65, lpName=0xbab970, cchName=0x104 | out: lpName="SnippingTool") returned 0x0 [0023.595] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="snippingtool", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.595] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="snippingtool", cchWideChar=12, lpMultiByteStr=0xbac160, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="snippingtool", lpUsedDefaultChar=0x0) returned 12 [0023.596] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x66, lpName=0xbab970, cchName=0x104 | out: lpName="Software") returned 0x0 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0xbac1a8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="software", lpUsedDefaultChar=0x0) returned 8 [0023.596] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x67, lpName=0xbab970, cchName=0x104 | out: lpName="Speech") returned 0x0 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="speech", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="speech", cchWideChar=6, lpMultiByteStr=0xbac160, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="speech", lpUsedDefaultChar=0x0) returned 6 [0023.596] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x68, lpName=0xbab970, cchName=0x104 | out: lpName="SQMClient") returned 0x0 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sqmclient", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sqmclient", cchWideChar=9, lpMultiByteStr=0xbac1a8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqmclient", lpUsedDefaultChar=0x0) returned 9 [0023.596] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x69, lpName=0xbab970, cchName=0x104 | out: lpName="Sync Framework") returned 0x0 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sync framework", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sync framework", cchWideChar=14, lpMultiByteStr=0xbac160, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sync framework", lpUsedDefaultChar=0x0) returned 14 [0023.596] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6a, lpName=0xbab970, cchName=0x104 | out: lpName="Sysprep") returned 0x0 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sysprep", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sysprep", cchWideChar=7, lpMultiByteStr=0xbac1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sysprep", lpUsedDefaultChar=0x0) returned 7 [0023.596] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6b, lpName=0xbab970, cchName=0x104 | out: lpName="SystemCertificates") returned 0x0 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="systemcertificates", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="systemcertificates", cchWideChar=18, lpMultiByteStr=0xbac160, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="systemcertificates", lpUsedDefaultChar=0x0) returned 18 [0023.596] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6c, lpName=0xbab970, cchName=0x104 | out: lpName="TableTextService") returned 0x0 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tabletextservice", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tabletextservice", cchWideChar=16, lpMultiByteStr=0xbac1a8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tabletextservice", lpUsedDefaultChar=0x0) returned 16 [0023.596] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6d, lpName=0xbab970, cchName=0x104 | out: lpName="TabletTip") returned 0x0 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tablettip", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tablettip", cchWideChar=9, lpMultiByteStr=0xbac160, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tablettip", lpUsedDefaultChar=0x0) returned 9 [0023.596] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6e, lpName=0xbab970, cchName=0x104 | out: lpName="Tcpip") returned 0x0 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tcpip", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tcpip", cchWideChar=5, lpMultiByteStr=0xbac1a8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tcpip", lpUsedDefaultChar=0x0) returned 5 [0023.596] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6f, lpName=0xbab970, cchName=0x104 | out: lpName="Terminal Server Client") returned 0x0 [0023.596] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="terminal server client", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="terminal server client", cchWideChar=22, lpMultiByteStr=0xbac160, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="terminal server client", lpUsedDefaultChar=0x0) returned 22 [0023.597] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x70, lpName=0xbab970, cchName=0x104 | out: lpName="TermServLicensing") returned 0x0 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="termservlicensing", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="termservlicensing", cchWideChar=17, lpMultiByteStr=0xbac1a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="termservlicensing", lpUsedDefaultChar=0x0) returned 17 [0023.597] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x71, lpName=0xbab970, cchName=0x104 | out: lpName="TIP Shared") returned 0x0 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tip shared", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tip shared", cchWideChar=10, lpMultiByteStr=0xbac160, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tip shared", lpUsedDefaultChar=0x0) returned 10 [0023.597] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x72, lpName=0xbab970, cchName=0x104 | out: lpName="TPG") returned 0x0 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tpg", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tpg", cchWideChar=3, lpMultiByteStr=0xbac1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tpg", lpUsedDefaultChar=0x0) returned 3 [0023.597] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x73, lpName=0xbab970, cchName=0x104 | out: lpName="Tpm") returned 0x0 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tpm", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tpm", cchWideChar=3, lpMultiByteStr=0xbac160, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tpm", lpUsedDefaultChar=0x0) returned 3 [0023.597] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x74, lpName=0xbab970, cchName=0x104 | out: lpName="Tracing") returned 0x0 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tracing", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tracing", cchWideChar=7, lpMultiByteStr=0xbac1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tracing", lpUsedDefaultChar=0x0) returned 7 [0023.597] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x75, lpName=0xbab970, cchName=0x104 | out: lpName="Transaction Server") returned 0x0 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="transaction server", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="transaction server", cchWideChar=18, lpMultiByteStr=0xbac160, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="transaction server", lpUsedDefaultChar=0x0) returned 18 [0023.597] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x76, lpName=0xbab970, cchName=0x104 | out: lpName="TV System Services") returned 0x0 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tv system services", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tv system services", cchWideChar=18, lpMultiByteStr=0xbac1a8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tv system services", lpUsedDefaultChar=0x0) returned 18 [0023.597] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x77, lpName=0xbab970, cchName=0x104 | out: lpName="uDRM") returned 0x0 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="udrm", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="udrm", cchWideChar=4, lpMultiByteStr=0xbac160, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="udrm", lpUsedDefaultChar=0x0) returned 4 [0023.597] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x78, lpName=0xbab970, cchName=0x104 | out: lpName="Updates") returned 0x0 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="updates", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.597] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="updates", cchWideChar=7, lpMultiByteStr=0xbac1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="updates", lpUsedDefaultChar=0x0) returned 7 [0023.597] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x79, lpName=0xbab970, cchName=0x104 | out: lpName="UPnP Device Host") returned 0x0 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="upnp device host", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="upnp device host", cchWideChar=16, lpMultiByteStr=0xbac160, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="upnp device host", lpUsedDefaultChar=0x0) returned 16 [0023.598] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7a, lpName=0xbab970, cchName=0x104 | out: lpName="VBA") returned 0x0 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vba", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vba", cchWideChar=3, lpMultiByteStr=0xbac1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vba", lpUsedDefaultChar=0x0) returned 3 [0023.598] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7b, lpName=0xbab970, cchName=0x104 | out: lpName="Virtual Machine") returned 0x0 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="virtual machine", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="virtual machine", cchWideChar=15, lpMultiByteStr=0xbac160, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="virtual machine", lpUsedDefaultChar=0x0) returned 15 [0023.598] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7c, lpName=0xbab970, cchName=0x104 | out: lpName="VisualStudio") returned 0x0 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="visualstudio", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="visualstudio", cchWideChar=12, lpMultiByteStr=0xbac1a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="visualstudio", lpUsedDefaultChar=0x0) returned 12 [0023.598] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7d, lpName=0xbab970, cchName=0x104 | out: lpName="WAB") returned 0x0 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wab", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wab", cchWideChar=3, lpMultiByteStr=0xbac160, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wab", lpUsedDefaultChar=0x0) returned 3 [0023.598] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7e, lpName=0xbab970, cchName=0x104 | out: lpName="WBEM") returned 0x0 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wbem", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wbem", cchWideChar=4, lpMultiByteStr=0xbac1a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wbem", lpUsedDefaultChar=0x0) returned 4 [0023.598] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7f, lpName=0xbab970, cchName=0x104 | out: lpName="WIMMount") returned 0x0 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wimmount", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wimmount", cchWideChar=8, lpMultiByteStr=0xbac160, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wimmount", lpUsedDefaultChar=0x0) returned 8 [0023.598] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x80, lpName=0xbab970, cchName=0x104 | out: lpName="Windows") returned 0x0 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="windows", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="windows", cchWideChar=7, lpMultiByteStr=0xbac1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="windows", lpUsedDefaultChar=0x0) returned 7 [0023.598] RegOpenKeyExW (in: hKey=0x3c, lpSubKey="Windows", ulOptions=0x0, samDesired=0x20109, phkResult=0x3af8ec | out: phkResult=0x3af8ec*=0xbc) returned 0x0 [0023.598] RegCloseKey (hKey=0x3c) returned 0x0 [0023.598] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x0, lpName=0xbab970, cchName=0x104 | out: lpName="CurrentVersion") returned 0x0 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="currentversion", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0023.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="currentversion", cchWideChar=14, lpMultiByteStr=0xbac160, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="currentversion", lpUsedDefaultChar=0x0) returned 14 [0023.599] RegOpenKeyExW (in: hKey=0xbc, lpSubKey="CurrentVersion", ulOptions=0x0, samDesired=0x20109, phkResult=0x3af8ec | out: phkResult=0x3af8ec*=0x3c) returned 0x0 [0023.599] RegCloseKey (hKey=0xbc) returned 0x0 [0023.599] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x0, lpName=0xbab970, cchName=0x104 | out: lpName="App Management") returned 0x0 [0023.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="app management", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0023.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="app management", cchWideChar=14, lpMultiByteStr=0xbac1a8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="app management", lpUsedDefaultChar=0x0) returned 14 [0023.599] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1, lpName=0xbab970, cchName=0x104 | out: lpName="App Paths") returned 0x0 [0023.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="app paths", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0023.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="app paths", cchWideChar=9, lpMultiByteStr=0xbac160, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="app paths", lpUsedDefaultChar=0x0) returned 9 [0023.599] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2, lpName=0xbab970, cchName=0x104 | out: lpName="Applets") returned 0x0 [0023.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="applets", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="applets", cchWideChar=7, lpMultiByteStr=0xbac1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="applets", lpUsedDefaultChar=0x0) returned 7 [0023.599] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3, lpName=0xbab970, cchName=0x104 | out: lpName="Audio") returned 0x0 [0023.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audio", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0023.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audio", cchWideChar=5, lpMultiByteStr=0xbac160, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audio", lpUsedDefaultChar=0x0) returned 5 [0023.599] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4, lpName=0xbab970, cchName=0x104 | out: lpName="Authentication") returned 0x0 [0023.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="authentication", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0023.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="authentication", cchWideChar=14, lpMultiByteStr=0xbac1a8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="authentication", lpUsedDefaultChar=0x0) returned 14 [0023.599] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5, lpName=0xbab970, cchName=0x104 | out: lpName="BitLocker") returned 0x0 [0023.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bitlocker", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0023.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bitlocker", cchWideChar=9, lpMultiByteStr=0xbac160, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bitlocker", lpUsedDefaultChar=0x0) returned 9 [0023.599] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6, lpName=0xbab970, cchName=0x104 | out: lpName="BITS") returned 0x0 [0023.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bits", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0023.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bits", cchWideChar=4, lpMultiByteStr=0xbac1a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bits", lpUsedDefaultChar=0x0) returned 4 [0023.599] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7, lpName=0xbab970, cchName=0x104 | out: lpName="Component Based Servicing") returned 0x0 [0023.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="component based servicing", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0023.599] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="component based servicing", cchWideChar=25, lpMultiByteStr=0xbac160, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="component based servicing", lpUsedDefaultChar=0x0) returned 25 [0023.599] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x8, lpName=0xbab970, cchName=0x104 | out: lpName="Control Panel") returned 0x0 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="control panel", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="control panel", cchWideChar=13, lpMultiByteStr=0xbac1a8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="control panel", lpUsedDefaultChar=0x0) returned 13 [0023.600] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x9, lpName=0xbab970, cchName=0x104 | out: lpName="Controls Folder") returned 0x0 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="controls folder", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="controls folder", cchWideChar=15, lpMultiByteStr=0xbac160, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="controls folder", lpUsedDefaultChar=0x0) returned 15 [0023.600] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xa, lpName=0xbab970, cchName=0x104 | out: lpName="DateTime") returned 0x0 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="datetime", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="datetime", cchWideChar=8, lpMultiByteStr=0xbac1a8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="datetime", lpUsedDefaultChar=0x0) returned 8 [0023.600] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xb, lpName=0xbab970, cchName=0x104 | out: lpName="Device Installer") returned 0x0 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="device installer", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="device installer", cchWideChar=16, lpMultiByteStr=0xbac160, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="device installer", lpUsedDefaultChar=0x0) returned 16 [0023.600] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xc, lpName=0xbab970, cchName=0x104 | out: lpName="Device Metadata") returned 0x0 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="device metadata", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="device metadata", cchWideChar=15, lpMultiByteStr=0xbac1a8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="device metadata", lpUsedDefaultChar=0x0) returned 15 [0023.600] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xd, lpName=0xbab970, cchName=0x104 | out: lpName="Diagnostics") returned 0x0 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="diagnostics", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="diagnostics", cchWideChar=11, lpMultiByteStr=0xbac160, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="diagnostics", lpUsedDefaultChar=0x0) returned 11 [0023.600] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xe, lpName=0xbab970, cchName=0x104 | out: lpName="DriverSearching") returned 0x0 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="driversearching", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="driversearching", cchWideChar=15, lpMultiByteStr=0xbac1a8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="driversearching", lpUsedDefaultChar=0x0) returned 15 [0023.600] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xf, lpName=0xbab970, cchName=0x104 | out: lpName="EventCollector") returned 0x0 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventcollector", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventcollector", cchWideChar=14, lpMultiByteStr=0xbac160, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eventcollector", lpUsedDefaultChar=0x0) returned 14 [0023.600] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x10, lpName=0xbab970, cchName=0x104 | out: lpName="EventForwarding") returned 0x0 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventforwarding", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventforwarding", cchWideChar=15, lpMultiByteStr=0xbac1a8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eventforwarding", lpUsedDefaultChar=0x0) returned 15 [0023.600] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x11, lpName=0xbab970, cchName=0x104 | out: lpName="Explorer") returned 0x0 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.600] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer", cchWideChar=8, lpMultiByteStr=0xbac160, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer", lpUsedDefaultChar=0x0) returned 8 [0023.601] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x12, lpName=0xbab970, cchName=0x104 | out: lpName="Ext") returned 0x0 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ext", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ext", cchWideChar=3, lpMultiByteStr=0xbac1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ext", lpUsedDefaultChar=0x0) returned 3 [0023.601] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x13, lpName=0xbab970, cchName=0x104 | out: lpName="GameUX") returned 0x0 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gameux", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gameux", cchWideChar=6, lpMultiByteStr=0xbac160, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gameux", lpUsedDefaultChar=0x0) returned 6 [0023.601] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x14, lpName=0xbab970, cchName=0x104 | out: lpName="Group Policy") returned 0x0 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="group policy", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="group policy", cchWideChar=12, lpMultiByteStr=0xbac1a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="group policy", lpUsedDefaultChar=0x0) returned 12 [0023.601] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x15, lpName=0xbab970, cchName=0x104 | out: lpName="Hints") returned 0x0 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hints", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hints", cchWideChar=5, lpMultiByteStr=0xbac160, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hints", lpUsedDefaultChar=0x0) returned 5 [0023.601] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x16, lpName=0xbab970, cchName=0x104 | out: lpName="HomeGroup") returned 0x0 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegroup", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegroup", cchWideChar=9, lpMultiByteStr=0xbac1a8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="homegroup", lpUsedDefaultChar=0x0) returned 9 [0023.601] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x17, lpName=0xbab970, cchName=0x104 | out: lpName="HotStart") returned 0x0 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hotstart", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hotstart", cchWideChar=8, lpMultiByteStr=0xbac160, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hotstart", lpUsedDefaultChar=0x0) returned 8 [0023.601] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x18, lpName=0xbab970, cchName=0x104 | out: lpName="IME") returned 0x0 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ime", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ime", cchWideChar=3, lpMultiByteStr=0xbac1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ime", lpUsedDefaultChar=0x0) returned 3 [0023.601] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x19, lpName=0xbab970, cchName=0x104 | out: lpName="Installer") returned 0x0 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="installer", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="installer", cchWideChar=9, lpMultiByteStr=0xbac160, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="installer", lpUsedDefaultChar=0x0) returned 9 [0023.601] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1a, lpName=0xbab970, cchName=0x104 | out: lpName="Internet Settings") returned 0x0 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet settings", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0023.601] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet settings", cchWideChar=17, lpMultiByteStr=0xbac1a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet settings", lpUsedDefaultChar=0x0) returned 17 [0023.601] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1b, lpName=0xbab970, cchName=0x104 | out: lpName="MCT") returned 0x0 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mct", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mct", cchWideChar=3, lpMultiByteStr=0xbac160, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mct", lpUsedDefaultChar=0x0) returned 3 [0023.602] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1c, lpName=0xbab970, cchName=0x104 | out: lpName="Media Center") returned 0x0 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="media center", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="media center", cchWideChar=12, lpMultiByteStr=0xbac1a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="media center", lpUsedDefaultChar=0x0) returned 12 [0023.602] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1d, lpName=0xbab970, cchName=0x104 | out: lpName="MMDevices") returned 0x0 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmdevices", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmdevices", cchWideChar=9, lpMultiByteStr=0xbac160, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mmdevices", lpUsedDefaultChar=0x0) returned 9 [0023.602] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1e, lpName=0xbab970, cchName=0x104 | out: lpName="MSSHA") returned 0x0 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssha", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssha", cchWideChar=5, lpMultiByteStr=0xbac1a8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mssha", lpUsedDefaultChar=0x0) returned 5 [0023.602] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1f, lpName=0xbab970, cchName=0x104 | out: lpName="NetCache") returned 0x0 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netcache", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netcache", cchWideChar=8, lpMultiByteStr=0xbac160, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netcache", lpUsedDefaultChar=0x0) returned 8 [0023.602] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x20, lpName=0xbab970, cchName=0x104 | out: lpName="OEMInformation") returned 0x0 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="oeminformation", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="oeminformation", cchWideChar=14, lpMultiByteStr=0xbac1a8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oeminformation", lpUsedDefaultChar=0x0) returned 14 [0023.602] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x21, lpName=0xbab970, cchName=0x104 | out: lpName="OOBE") returned 0x0 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="oobe", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="oobe", cchWideChar=4, lpMultiByteStr=0xbac160, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oobe", lpUsedDefaultChar=0x0) returned 4 [0023.602] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x22, lpName=0xbab970, cchName=0x104 | out: lpName="OptimalLayout") returned 0x0 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="optimallayout", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="optimallayout", cchWideChar=13, lpMultiByteStr=0xbac1a8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="optimallayout", lpUsedDefaultChar=0x0) returned 13 [0023.602] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x23, lpName=0xbab970, cchName=0x104 | out: lpName="Parental Controls") returned 0x0 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="parental controls", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="parental controls", cchWideChar=17, lpMultiByteStr=0xbac160, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="parental controls", lpUsedDefaultChar=0x0) returned 17 [0023.602] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x24, lpName=0xbab970, cchName=0x104 | out: lpName="Personalization") returned 0x0 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="personalization", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0023.602] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="personalization", cchWideChar=15, lpMultiByteStr=0xbac1a8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="personalization", lpUsedDefaultChar=0x0) returned 15 [0023.603] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x25, lpName=0xbab970, cchName=0x104 | out: lpName="PhotoPropertyHandler") returned 0x0 [0023.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="photopropertyhandler", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0023.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="photopropertyhandler", cchWideChar=20, lpMultiByteStr=0xbac160, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="photopropertyhandler", lpUsedDefaultChar=0x0) returned 20 [0023.603] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x26, lpName=0xbab970, cchName=0x104 | out: lpName="PnPSysprep") returned 0x0 [0023.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pnpsysprep", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pnpsysprep", cchWideChar=10, lpMultiByteStr=0xbac1a8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pnpsysprep", lpUsedDefaultChar=0x0) returned 10 [0023.603] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x27, lpName=0xbab970, cchName=0x104 | out: lpName="Policies") returned 0x0 [0023.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="policies", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="policies", cchWideChar=8, lpMultiByteStr=0xbac160, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="policies", lpUsedDefaultChar=0x0) returned 8 [0023.603] RegOpenKeyExW (in: hKey=0x3c, lpSubKey="Policies", ulOptions=0x0, samDesired=0x20109, phkResult=0x3af8ec | out: phkResult=0x3af8ec*=0xbc) returned 0x0 [0023.603] RegCloseKey (hKey=0x3c) returned 0x0 [0023.603] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x0, lpName=0xbab970, cchName=0x104 | out: lpName="ActiveDesktop") returned 0x0 [0023.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="activedesktop", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0023.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="activedesktop", cchWideChar=13, lpMultiByteStr=0xbac1a8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="activedesktop", lpUsedDefaultChar=0x0) returned 13 [0023.603] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x1, lpName=0xbab970, cchName=0x104 | out: lpName="Attachments") returned 0x0 [0023.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="attachments", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="attachments", cchWideChar=11, lpMultiByteStr=0xbac160, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="attachments", lpUsedDefaultChar=0x0) returned 11 [0023.603] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x2, lpName=0xbab970, cchName=0x104 | out: lpName="Explorer") returned 0x0 [0023.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer", cchWideChar=8, lpMultiByteStr=0xbac1a8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer", lpUsedDefaultChar=0x0) returned 8 [0023.603] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x3, lpName=0xbab970, cchName=0x104 | out: lpName="NonEnum") returned 0x0 [0023.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nonenum", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nonenum", cchWideChar=7, lpMultiByteStr=0xbac160, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nonenum", lpUsedDefaultChar=0x0) returned 7 [0023.603] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x4, lpName=0xbab970, cchName=0x104 | out: lpName="System") returned 0x0 [0023.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="system", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0023.603] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="system", cchWideChar=6, lpMultiByteStr=0xbac1a8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="system", lpUsedDefaultChar=0x0) returned 6 [0023.603] RegOpenKeyExW (in: hKey=0xbc, lpSubKey="System", ulOptions=0x0, samDesired=0x20109, phkResult=0x3af8ec | out: phkResult=0x3af8ec*=0x3c) returned 0x0 [0023.604] RegCloseKey (hKey=0xbc) returned 0x0 [0023.604] RegEnumValueA (in: hKey=0x3c, dwIndex=0x0, lpValueName=0x3af808, lpcchValueName=0x3af804, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ConsentPromptBehaviorAdmin", lpcchValueName=0x3af804, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0023.604] RegEnumValueA (in: hKey=0x3c, dwIndex=0x1, lpValueName=0x3af808, lpcchValueName=0x3af804, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ConsentPromptBehaviorUser", lpcchValueName=0x3af804, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0023.604] RegEnumValueA (in: hKey=0x3c, dwIndex=0x2, lpValueName=0x3af808, lpcchValueName=0x3af804, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableInstallerDetection", lpcchValueName=0x3af804, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0023.604] RegEnumValueA (in: hKey=0x3c, dwIndex=0x3, lpValueName=0x3af808, lpcchValueName=0x3af804, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableLUA", lpcchValueName=0x3af804, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0023.604] RegEnumValueA (in: hKey=0x3c, dwIndex=0x4, lpValueName=0x3af808, lpcchValueName=0x3af804, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableSecureUIAPaths", lpcchValueName=0x3af804, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0023.604] RegEnumValueA (in: hKey=0x3c, dwIndex=0x5, lpValueName=0x3af808, lpcchValueName=0x3af804, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableUIADesktopToggle", lpcchValueName=0x3af804, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0023.604] RegEnumValueA (in: hKey=0x3c, dwIndex=0x6, lpValueName=0x3af808, lpcchValueName=0x3af804, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableVirtualization", lpcchValueName=0x3af804, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0023.604] RegEnumValueA (in: hKey=0x3c, dwIndex=0x7, lpValueName=0x3af808, lpcchValueName=0x3af804, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="PromptOnSecureDesktop", lpcchValueName=0x3af804, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0023.604] RegEnumValueA (in: hKey=0x3c, dwIndex=0x8, lpValueName=0x3af808, lpcchValueName=0x3af804, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ValidateAdminCodeSignatures", lpcchValueName=0x3af804, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0023.604] RegEnumValueA (in: hKey=0x3c, dwIndex=0x9, lpValueName=0x3af808, lpcchValueName=0x3af804, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="dontdisplaylastusername", lpcchValueName=0x3af804, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0023.604] RegEnumValueA (in: hKey=0x3c, dwIndex=0xa, lpValueName=0x3af808, lpcchValueName=0x3af804, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="legalnoticecaption", lpcchValueName=0x3af804, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0023.604] RegEnumValueA (in: hKey=0x3c, dwIndex=0xb, lpValueName=0x3af808, lpcchValueName=0x3af804, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="legalnoticetext", lpcchValueName=0x3af804, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0023.604] RegEnumValueA (in: hKey=0x3c, dwIndex=0xc, lpValueName=0x3af808, lpcchValueName=0x3af804, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="scforceoption", lpcchValueName=0x3af804, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0023.604] RegEnumValueA (in: hKey=0x3c, dwIndex=0xd, lpValueName=0x3af808, lpcchValueName=0x3af804, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="shutdownwithoutlogon", lpcchValueName=0x3af804, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0023.604] RegEnumValueA (in: hKey=0x3c, dwIndex=0xe, lpValueName=0x3af808, lpcchValueName=0x3af804, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="undockwithoutlogon", lpcchValueName=0x3af804, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0023.604] RegEnumValueA (in: hKey=0x3c, dwIndex=0xf, lpValueName=0x3af808, lpcchValueName=0x3af804, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="FilterAdministratorToken", lpcchValueName=0x3af804, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0023.604] RegEnumValueA (in: hKey=0x3c, dwIndex=0x10, lpValueName=0x3af808, lpcchValueName=0x3af804, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="FilterAdministratorToken", lpcchValueName=0x3af804, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x103 [0023.605] RegQueryValueExA (in: hKey=0x3c, lpValueName="EnableLUA", lpReserved=0x0, lpType=0x3af914, lpData=0x0, lpcbData=0x3af91c*=0x0 | out: lpType=0x3af914*=0x4, lpData=0x0, lpcbData=0x3af91c*=0x4) returned 0x0 [0023.605] RegQueryValueExA (in: hKey=0x3c, lpValueName="EnableLUA", lpReserved=0x0, lpType=0x3af914, lpData=0xbac4c0, lpcbData=0x3af91c*=0x4 | out: lpType=0x3af914*=0x4, lpData=0xbac4c0*=0x1, lpcbData=0x3af91c*=0x4) returned 0x0 [0023.605] RegCloseKey (hKey=0x3c) returned 0x0 [0023.605] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3af990 | out: TokenHandle=0x3af990*=0x3c) returned 1 [0023.605] GetTokenInformation (in: TokenHandle=0x3c, TokenInformationClass=0x14, TokenInformation=0x3af98c, TokenInformationLength=0x4, ReturnLength=0x3af988 | out: TokenInformation=0x3af98c, ReturnLength=0x3af988) returned 1 [0023.605] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3af97c | out: TokenHandle=0x3af97c*=0xbc) returned 1 [0023.605] GetTokenInformation (in: TokenHandle=0xbc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x3af978 | out: TokenInformation=0x0, ReturnLength=0x3af978) returned 0 [0023.605] GetTokenInformation (in: TokenHandle=0xbc, TokenInformationClass=0x19, TokenInformation=0xbac628, TokenInformationLength=0x14, ReturnLength=0x3af978 | out: TokenInformation=0xbac628, ReturnLength=0x3af978) returned 1 [0023.605] GetSidSubAuthorityCount (pSid=0xbac630*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0xbac631 [0023.605] GetSidSubAuthority (pSid=0xbac630*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0xbac638 [0023.605] NtClose (Handle=0xbc) returned 0x0 [0023.605] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0023.609] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x499940, lpbSaclPresent=0x3afa38, pSacl=0x3afa90, lpbSaclDefaulted=0x3afa38 | out: lpbSaclPresent=0x3afa38, pSacl=0x3afa90, lpbSaclDefaulted=0x3afa38) returned 1 [0023.609] CreateMutexA (lpMutexAttributes=0x3afa84, bInitialOwner=0, lpName="") returned 0x100 [0023.609] GetLastError () returned 0x0 [0023.609] LocalFree (hMem=0x499940) returned 0x0 [0023.609] CryptAcquireContextW (in: phProv=0x3afab0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3afab0*=0x498400) returned 1 [0023.739] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0023.739] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x499940, lpbSaclPresent=0x3afa54, pSacl=0x3afab8, lpbSaclDefaulted=0x3afa54 | out: lpbSaclPresent=0x3afa54, pSacl=0x3afab8, lpbSaclDefaulted=0x3afa54) returned 1 [0023.739] CreateEventA (lpEventAttributes=0x3afaac, bManualReset=1, bInitialState=0, lpName="") returned 0x104 [0023.740] GetLastError () returned 0x0 [0023.740] LocalFree (hMem=0x499940) returned 0x0 [0023.740] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0023.740] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x499940, lpbSaclPresent=0x3afa54, pSacl=0x3afab8, lpbSaclDefaulted=0x3afa54 | out: lpbSaclPresent=0x3afa54, pSacl=0x3afab8, lpbSaclDefaulted=0x3afa54) returned 1 [0023.740] CreateEventA (lpEventAttributes=0x3afaac, bManualReset=1, bInitialState=0, lpName="") returned 0x108 [0023.740] GetLastError () returned 0x0 [0023.740] LocalFree (hMem=0x499940) returned 0x0 [0023.740] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0023.741] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x499940, lpbSaclPresent=0x3afa54, pSacl=0x3afab8, lpbSaclDefaulted=0x3afa54 | out: lpbSaclPresent=0x3afa54, pSacl=0x3afab8, lpbSaclDefaulted=0x3afa54) returned 1 [0023.741] CreateEventA (lpEventAttributes=0x3afaac, bManualReset=1, bInitialState=0, lpName="") returned 0x110 [0023.741] GetLastError () returned 0x0 [0023.741] LocalFree (hMem=0x499940) returned 0x0 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac310, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac310, cbMultiByte=10, lpWideCharStr=0xbabb90, cchWideChar=10 | out: lpWideCharStr="svsho*.exe") returned 10 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac280, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac280, cbMultiByte=10, lpWideCharStr=0xbabc40, cchWideChar=10 | out: lpWideCharStr="schre*.bat") returned 10 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac238, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac238, cbMultiByte=7, lpWideCharStr=0xbafe60, cchWideChar=7 | out: lpWideCharStr="V01.lo*") returned 7 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac1f0, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac1f0, cbMultiByte=7, lpWideCharStr=0xbafee8, cchWideChar=7 | out: lpWideCharStr="V01.ch*") returned 7 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac1a8, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac1a8, cbMultiByte=11, lpWideCharStr=0x880448, cchWideChar=11 | out: lpWideCharStr="V01res*.jrs") returned 11 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac160, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac160, cbMultiByte=11, lpWideCharStr=0x8804d0, cchWideChar=11 | out: lpWideCharStr="RacWmi*.sdf") returned 11 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac2c8, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac2c8, cbMultiByte=11, lpWideCharStr=0x880558, cchWideChar=11 | out: lpWideCharStr="Web*V01.dat") returned 11 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac1a8, cbMultiByte=25, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 25 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac1a8, cbMultiByte=25, lpWideCharStr=0x8805e0, cchWideChar=25 | out: lpWideCharStr="System Volume Information") returned 25 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac1f0, cbMultiByte=12, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 12 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac1f0, cbMultiByte=12, lpWideCharStr=0x880668, cchWideChar=12 | out: lpWideCharStr="$RECYCLE.BIN") returned 12 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac238, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0023.741] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac238, cbMultiByte=8, lpWideCharStr=0x880818, cchWideChar=8 | out: lpWideCharStr="WebCache") returned 8 [0023.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac2c8, cbMultiByte=6, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0023.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac2c8, cbMultiByte=6, lpWideCharStr=0x8808a0, cchWideChar=6 | out: lpWideCharStr="Caches") returned 6 [0023.742] ExpandEnvironmentStringsA (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\WER\\ReportQueue\\", lpDst=0x882778, nSize=0x2800 | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\") returned 0x32 [0023.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x882778, cbMultiByte=49, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 49 [0023.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x882778, cbMultiByte=49, lpWideCharStr=0x880928, cchWideChar=49 | out: lpWideCharStr="C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\") returned 49 [0023.742] ExpandEnvironmentStringsA (in: lpSrc="%windir%", lpDst=0x882778, nSize=0x2800 | out: lpDst="C:\\Windows") returned 0xb [0023.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x882778, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0023.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x882778, cbMultiByte=10, lpWideCharStr=0x8809b0, cchWideChar=10 | out: lpWideCharStr="C:\\Windows") returned 10 [0023.742] ExpandEnvironmentStringsA (in: lpSrc="%temp%", lpDst=0x882778, nSize=0x2800 | out: lpDst="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 0x25 [0023.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x882778, cbMultiByte=36, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 36 [0023.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x882778, cbMultiByte=36, lpWideCharStr=0x880a38, cchWideChar=36 | out: lpWideCharStr="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 36 [0023.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac1a8, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0023.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac1a8, cbMultiByte=7, lpWideCharStr=0x880ac0, cchWideChar=7 | out: lpWideCharStr=".locked") returned 7 [0023.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac508, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0023.742] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac508, cbMultiByte=11, lpWideCharStr=0x880b48, cchWideChar=11 | out: lpWideCharStr=".readme_txt") returned 11 [0023.742] WaitForSingleObject (hHandle=0x100, dwMilliseconds=0xffffffff) returned 0x0 [0023.742] GetSystemWow64DirectoryW (in: lpBuffer=0x887a18, uSize=0x40 | out: lpBuffer="C:\\Windows\\SysWOW64") returned 0x13 [0023.743] FindFirstFileExW (in: lpFileName="C:\\Windows\\SysWOW64\\*.dll", fInfoLevelId=0x1, lpFindFileData=0x3af7e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3af7e4) returned 0x4998d8 [0023.743] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AACLIENT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.743] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AACLIENT.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AACLIENT.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.743] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.748] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCESSIBILITYCPL.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0023.748] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCESSIBILITYCPL.DLL", cchWideChar=20, lpMultiByteStr=0xbac988, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCESSIBILITYCPL.DLL", lpUsedDefaultChar=0x0) returned 20 [0023.748] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.748] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCTRES.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.748] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCTRES.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCTRES.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.748] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.748] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLEDIT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.748] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLEDIT.DLL", cchWideChar=11, lpMultiByteStr=0xbac988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACLEDIT.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.748] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.748] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLUI.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLUI.DLL", cchWideChar=9, lpMultiByteStr=0xbac940, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACLUI.DLL", lpUsedDefaultChar=0x0) returned 9 [0023.749] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACPPAGE.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACPPAGE.DLL", cchWideChar=11, lpMultiByteStr=0xbac988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACPPAGE.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.749] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTER.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTER.DLL", cchWideChar=16, lpMultiByteStr=0xbac940, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIONCENTER.DLL", lpUsedDefaultChar=0x0) returned 16 [0023.749] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTERCPL.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTERCPL.DLL", cchWideChar=19, lpMultiByteStr=0xbac988, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIONCENTERCPL.DLL", lpUsedDefaultChar=0x0) returned 19 [0023.749] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIVEDS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIVEDS.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIVEDS.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.749] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTXPRXY.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTXPRXY.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTXPRXY.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.749] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMPARSE.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMPARSE.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADMPARSE.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.749] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMTMPL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMTMPL.DLL", cchWideChar=11, lpMultiByteStr=0xbac988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADMTMPL.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.749] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADPROVIDER.DLL", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADPROVIDER.DLL", cchWideChar=14, lpMultiByteStr=0xbac940, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 14 [0023.749] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDP.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDP.DLL", cchWideChar=10, lpMultiByteStr=0xbac988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSLDP.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.749] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDPC.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDPC.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSLDPC.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.749] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSMSEXT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSMSEXT.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSMSEXT.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.749] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSNT.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSNT.DLL", cchWideChar=9, lpMultiByteStr=0xbac940, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSNT.DLL", lpUsedDefaultChar=0x0) returned 9 [0023.750] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADTSCHEMA.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADTSCHEMA.DLL", cchWideChar=13, lpMultiByteStr=0xbac988, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADTSCHEMA.DLL", lpUsedDefaultChar=0x0) returned 13 [0023.750] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVAPI32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVAPI32.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADVAPI32.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.750] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVPACK.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVPACK.DLL", cchWideChar=11, lpMultiByteStr=0xbac988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADVPACK.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.750] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AECACHE.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AECACHE.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AECACHE.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.750] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AEEVTS.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AEEVTS.DLL", cchWideChar=10, lpMultiByteStr=0xbac988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AEEVTS.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.750] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALTTAB.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALTTAB.DLL", cchWideChar=10, lpMultiByteStr=0xbac940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALTTAB.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.750] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMSTREAM.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMSTREAM.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AMSTREAM.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.750] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMXREAD.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMXREAD.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AMXREAD.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.750] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APDS.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APDS.DLL", cchWideChar=8, lpMultiByteStr=0xbac988, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APDS.DLL", lpUsedDefaultChar=0x0) returned 8 [0023.750] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-CONSOLE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-CONSOLE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0xbac940, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-CONSOLE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0023.751] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DATETIME-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DATETIME-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xbac988, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-DATETIME-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0023.751] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DEBUG-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DEBUG-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0xbac940, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-DEBUG-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0023.751] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DELAYLOAD-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DELAYLOAD-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0xbac988, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-DELAYLOAD-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0023.751] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xbac940, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0023.751] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FIBERS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FIBERS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xbac988, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FIBERS-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0023.751] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xbac940, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FILE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0023.751] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-2-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-2-0.DLL", cchWideChar=31, lpMultiByteStr=0xbac988, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FILE-L1-2-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0023.751] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L2-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L2-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xbac940, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FILE-L2-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0023.751] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HANDLE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HANDLE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xbac988, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-HANDLE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0023.751] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HEAP-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HEAP-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xbac940, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-HEAP-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0023.752] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-INTERLOCKED-L1-1-0.DLL", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-INTERLOCKED-L1-1-0.DLL", cchWideChar=38, lpMultiByteStr=0xbac988, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-INTERLOCKED-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 38 [0023.752] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-IO-L1-1-0.DLL", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-IO-L1-1-0.DLL", cchWideChar=29, lpMultiByteStr=0xbac940, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-IO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 29 [0023.752] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xbac988, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0023.752] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0xbac940, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LOCALIZATION-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 39 [0023.752] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-2-0.DLL", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-2-0.DLL", cchWideChar=39, lpMultiByteStr=0xbac988, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LOCALIZATION-L1-2-0.DLL", lpUsedDefaultChar=0x0) returned 39 [0023.752] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALREGISTRY-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALREGISTRY-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xbac940, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LOCALREGISTRY-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0023.752] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MEMORY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MEMORY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xbac988, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-MEMORY-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0023.752] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MISC-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MISC-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xbac940, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-MISC-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0023.752] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-NAMEDPIPE-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-NAMEDPIPE-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0xbac988, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-NAMEDPIPE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0023.752] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0.DLL", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0.DLL", cchWideChar=45, lpMultiByteStr=0xbac940, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 45 [0023.752] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0023.752] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL", cchWideChar=41, lpMultiByteStr=0xbac988, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 41 [0023.753] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1.DLL", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1.DLL", cchWideChar=41, lpMultiByteStr=0xbac940, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1.DLL", lpUsedDefaultChar=0x0) returned 41 [0023.753] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROFILE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROFILE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0xbac988, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROFILE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0023.753] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-RTLSUPPORT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-RTLSUPPORT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0xbac940, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-RTLSUPPORT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 37 [0023.753] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-STRING-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-STRING-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xbac988, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-STRING-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0023.753] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0xbac940, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-SYNCH-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0023.753] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-2-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-2-0.DLL", cchWideChar=32, lpMultiByteStr=0xbac988, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-SYNCH-L1-2-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0023.753] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYSINFO-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYSINFO-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0xbac940, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-SYSINFO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0023.753] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-THREADPOOL-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-THREADPOOL-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0xbac988, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-THREADPOOL-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 37 [0023.753] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-TIMEZONE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-TIMEZONE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xbac940, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-TIMEZONE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0023.753] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-UTIL-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-UTIL-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xbac988, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-UTIL-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0023.753] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0023.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xbac940, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-XSTATE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0023.753] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L2-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L2-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xbac988, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-XSTATE-L2-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0023.754] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xbac940, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-CONIO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0023.754] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONVERT-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONVERT-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xbac988, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-CONVERT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0023.754] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-ENVIRONMENT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-ENVIRONMENT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0xbac940, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-ENVIRONMENT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 37 [0023.754] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-FILESYSTEM-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-FILESYSTEM-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0xbac988, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-FILESYSTEM-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0023.754] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-HEAP-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-HEAP-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0xbac940, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-HEAP-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 30 [0023.754] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-LOCALE-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-LOCALE-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0xbac988, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-LOCALE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0023.754] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MATH-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MATH-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0xbac940, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-MATH-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 30 [0023.754] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MULTIBYTE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MULTIBYTE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xbac988, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-MULTIBYTE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0023.754] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PRIVATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PRIVATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xbac940, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-PRIVATE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0023.754] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PROCESS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PROCESS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xbac988, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-PROCESS-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0023.754] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0023.754] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xbac940, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0023.755] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STDIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STDIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xbac988, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-STDIO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0023.755] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STRING-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STRING-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0xbac940, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-STRING-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0023.755] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-TIME-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-TIME-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0xbac988, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-TIME-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 30 [0023.755] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-UTILITY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-UTILITY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xbac940, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-UTILITY-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0023.755] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-EVENTING-PROVIDER-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-EVENTING-PROVIDER-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0xbac988, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-EVENTING-PROVIDER-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 39 [0023.755] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-BASE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-BASE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xbac940, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SECURITY-BASE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0023.755] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xbac988, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0023.755] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xbac940, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0023.755] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-CORE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-CORE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0xbac988, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-CORE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0023.755] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xbac940, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0023.755] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xbac988, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0023.756] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0xbac940, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0023.756] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APILOGEN.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APILOGEN.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APILOGEN.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.756] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APIRCL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APIRCL.DLL", cchWideChar=10, lpMultiByteStr=0xbac940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APIRCL.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.756] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APISETSCHEMA.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APISETSCHEMA.DLL", cchWideChar=16, lpMultiByteStr=0xbac988, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APISETSCHEMA.DLL", lpUsedDefaultChar=0x0) returned 16 [0023.756] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHELP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHELP.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPHELP.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.756] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHLPDM.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHLPDM.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPHLPDM.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.756] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDAPI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDAPI.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPIDAPI.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.756] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDPOLICYENGINEAPI.DLL", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDPOLICYENGINEAPI.DLL", cchWideChar=24, lpMultiByteStr=0xbac988, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPIDPOLICYENGINEAPI.DLL", lpUsedDefaultChar=0x0) returned 24 [0023.756] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGMTS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGMTS.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPMGMTS.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.756] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGR.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGR.DLL", cchWideChar=10, lpMultiByteStr=0xbac988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPMGR.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.756] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APSS.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APSS.DLL", cchWideChar=8, lpMultiByteStr=0xbac940, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APSS.DLL", lpUsedDefaultChar=0x0) returned 8 [0023.757] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASFERROR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASFERROR.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASFERROR.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.757] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASPNET_COUNTERS.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASPNET_COUNTERS.DLL", cchWideChar=19, lpMultiByteStr=0xbac940, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASPNET_COUNTERS.DLL", lpUsedDefaultChar=0x0) returned 19 [0023.757] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASYCFILT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASYCFILT.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASYCFILT.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.757] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL.DLL", cchWideChar=7, lpMultiByteStr=0xbac940, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATL.DLL", lpUsedDefaultChar=0x0) returned 7 [0023.757] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL100.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL100.DLL", cchWideChar=10, lpMultiByteStr=0xbac988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATL100.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.757] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL110.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL110.DLL", cchWideChar=10, lpMultiByteStr=0xbac940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATL110.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.757] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMFD.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMFD.DLL", cchWideChar=9, lpMultiByteStr=0xbac988, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATMFD.DLL", lpUsedDefaultChar=0x0) returned 9 [0023.757] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMLIB.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMLIB.DLL", cchWideChar=10, lpMultiByteStr=0xbac940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATMLIB.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.757] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIODEV.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.757] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIODEV.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIODEV.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.758] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOENG.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOENG.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIOENG.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.758] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOKSE.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOKSE.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIOKSE.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.758] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOSES.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOSES.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIOSES.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.758] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITNATIVESNAPIN.DLL", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITNATIVESNAPIN.DLL", cchWideChar=21, lpMultiByteStr=0xbac988, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDITNATIVESNAPIN.DLL", lpUsedDefaultChar=0x0) returned 21 [0023.758] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLICYGPINTEROP.DLL", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLICYGPINTEROP.DLL", cchWideChar=24, lpMultiByteStr=0xbac940, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDITPOLICYGPINTEROP.DLL", lpUsedDefaultChar=0x0) returned 24 [0023.758] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLMSG.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLMSG.DLL", cchWideChar=15, lpMultiByteStr=0xbac988, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDITPOLMSG.DLL", lpUsedDefaultChar=0x0) returned 15 [0023.758] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWCFG.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWCFG.DLL", cchWideChar=13, lpMultiByteStr=0xbac940, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWCFG.DLL", lpUsedDefaultChar=0x0) returned 13 [0023.758] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWGP.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWGP.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWGP.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.758] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWSNAPIN.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0023.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWSNAPIN.DLL", cchWideChar=16, lpMultiByteStr=0xbac940, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWSNAPIN.DLL", lpUsedDefaultChar=0x0) returned 16 [0023.758] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWWIZFWK.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWWIZFWK.DLL", cchWideChar=16, lpMultiByteStr=0xbac988, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWWIZFWK.DLL", lpUsedDefaultChar=0x0) returned 16 [0023.759] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHUI.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHUI.DLL", cchWideChar=10, lpMultiByteStr=0xbac940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHUI.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.759] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHZ.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHZ.DLL", cchWideChar=9, lpMultiByteStr=0xbac988, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHZ.DLL", lpUsedDefaultChar=0x0) returned 9 [0023.759] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTOPLAY.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTOPLAY.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTOPLAY.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.759] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYAPI.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYAPI.DLL", cchWideChar=23, lpMultiByteStr=0xbac988, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUXILIARYDISPLAYAPI.DLL", lpUsedDefaultChar=0x0) returned 23 [0023.759] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYCPL.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYCPL.DLL", cchWideChar=23, lpMultiByteStr=0xbac940, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUXILIARYDISPLAYCPL.DLL", lpUsedDefaultChar=0x0) returned 23 [0023.759] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVICAP32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVICAP32.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AVICAP32.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.759] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVIFIL32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVIFIL32.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AVIFIL32.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.759] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVRT.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVRT.DLL", cchWideChar=8, lpMultiByteStr=0xbac988, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AVRT.DLL", lpUsedDefaultChar=0x0) returned 8 [0023.759] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLES.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLES.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AZROLES.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.760] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLEUI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLEUI.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AZROLEUI.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.760] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZSQLEXT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZSQLEXT.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AZSQLEXT.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.760] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BASECSP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BASECSP.DLL", cchWideChar=11, lpMultiByteStr=0xbac988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASECSP.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.760] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BATMETER.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BATMETER.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BATMETER.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.760] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPT.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPT.DLL", cchWideChar=10, lpMultiByteStr=0xbac988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCRYPT.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.760] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPTPRIMITIVES.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPTPRIMITIVES.DLL", cchWideChar=20, lpMultiByteStr=0xbac940, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCRYPTPRIMITIVES.DLL", lpUsedDefaultChar=0x0) returned 20 [0023.760] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIDISPL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIDISPL.DLL", cchWideChar=11, lpMultiByteStr=0xbac988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIDISPL.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.760] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIOCREDPROV.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIOCREDPROV.DLL", cchWideChar=15, lpMultiByteStr=0xbac940, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIOCREDPROV.DLL", lpUsedDefaultChar=0x0) returned 15 [0023.760] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPERF.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.760] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPERF.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPERF.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.760] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX2.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX2.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX2.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.761] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX3.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX3.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX3.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.761] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX4.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX4.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX4.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.761] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX5.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX5.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX5.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.761] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX6.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX6.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX6.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.761] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BLACKBOX.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BLACKBOX.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLACKBOX.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.761] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BOOTVID.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BOOTVID.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BOOTVID.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.761] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWCLI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWCLI.DLL", cchWideChar=11, lpMultiByteStr=0xbac988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BROWCLI.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.761] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWSEUI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWSEUI.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BROWSEUI.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.761] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BTPANUI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BTPANUI.DLL", cchWideChar=11, lpMultiByteStr=0xbac988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BTPANUI.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.762] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWCONTEXTHANDLER.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWCONTEXTHANDLER.DLL", cchWideChar=20, lpMultiByteStr=0xbac940, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BWCONTEXTHANDLER.DLL", lpUsedDefaultChar=0x0) returned 20 [0023.762] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWUNPAIRELEVATED.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWUNPAIRELEVATED.DLL", cchWideChar=20, lpMultiByteStr=0xbac988, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BWUNPAIRELEVATED.DLL", lpUsedDefaultChar=0x0) returned 20 [0023.762] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABINET.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABINET.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABINET.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.762] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABVIEW.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABVIEW.DLL", cchWideChar=11, lpMultiByteStr=0xbac988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABVIEW.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.762] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPIPROVIDER.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPIPROVIDER.DLL", cchWideChar=16, lpMultiByteStr=0xbac940, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAPIPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 16 [0023.762] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPISP.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPISP.DLL", cchWideChar=10, lpMultiByteStr=0xbac988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAPISP.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.762] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRV.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRV.DLL", cchWideChar=10, lpMultiByteStr=0xbac940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATSRV.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.762] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRVPS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRVPS.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATSRVPS.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.762] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRVUT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRVUT.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATSRVUT.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.762] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CCA.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CCA.DLL", cchWideChar=7, lpMultiByteStr=0xbac988, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CCA.DLL", lpUsedDefaultChar=0x0) returned 7 [0023.763] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CDOSYS.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CDOSYS.DLL", cchWideChar=10, lpMultiByteStr=0xbac940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CDOSYS.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.763] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTCLI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTCLI.DLL", cchWideChar=11, lpMultiByteStr=0xbac988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTCLI.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.763] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTCREDPROVIDER.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTCREDPROVIDER.DLL", cchWideChar=20, lpMultiByteStr=0xbac940, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTCREDPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 20 [0023.763] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENC.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENC.DLL", cchWideChar=11, lpMultiByteStr=0xbac988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTENC.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.763] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENROLL.DLL", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENROLL.DLL", cchWideChar=14, lpMultiByteStr=0xbac940, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTENROLL.DLL", lpUsedDefaultChar=0x0) returned 14 [0023.763] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENROLLUI.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENROLLUI.DLL", cchWideChar=16, lpMultiByteStr=0xbac988, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTENROLLUI.DLL", lpUsedDefaultChar=0x0) returned 16 [0023.763] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTMGR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTMGR.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTMGR.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.763] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTPOLENG.DLL", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTPOLENG.DLL", cchWideChar=14, lpMultiByteStr=0xbac988, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTPOLENG.DLL", lpUsedDefaultChar=0x0) returned 14 [0023.763] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CEWMDM.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.763] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CEWMDM.DLL", cchWideChar=10, lpMultiByteStr=0xbac940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CEWMDM.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.764] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CFGBKEND.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CFGBKEND.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFGBKEND.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.764] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CFGMGR32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CFGMGR32.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFGMGR32.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.764] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHSBRKR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHSBRKR.DLL", cchWideChar=11, lpMultiByteStr=0xbac988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHSBRKR.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.764] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHTBRKR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHTBRKR.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHTBRKR.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.764] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHXREADINGSTRINGIME.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHXREADINGSTRINGIME.DLL", cchWideChar=23, lpMultiByteStr=0xbac988, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHXREADINGSTRINGIME.DLL", lpUsedDefaultChar=0x0) returned 23 [0023.764] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CIC.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CIC.DLL", cchWideChar=7, lpMultiByteStr=0xbac940, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CIC.DLL", lpUsedDefaultChar=0x0) returned 7 [0023.764] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLB.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLB.DLL", cchWideChar=7, lpMultiByteStr=0xbac988, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLB.DLL", lpUsedDefaultChar=0x0) returned 7 [0023.764] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLBCATQ.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLBCATQ.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLBCATQ.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.764] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLFSW32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLFSW32.DLL", cchWideChar=11, lpMultiByteStr=0xbac988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLFSW32.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.764] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLICONFG.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLICONFG.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLICONFG.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.765] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLUSAPI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLUSAPI.DLL", cchWideChar=11, lpMultiByteStr=0xbac988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLUSAPI.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.765] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMCFG32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMCFG32.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMCFG32.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.765] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMDIAL32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMDIAL32.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMDIAL32.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.765] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMICRYPTINSTALL.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMICRYPTINSTALL.DLL", cchWideChar=19, lpMultiByteStr=0xbac940, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMICRYPTINSTALL.DLL", lpUsedDefaultChar=0x0) returned 19 [0023.765] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMIFW.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMIFW.DLL", cchWideChar=9, lpMultiByteStr=0xbac988, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMIFW.DLL", lpUsedDefaultChar=0x0) returned 9 [0023.765] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMIPNPINSTALL.DLL", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMIPNPINSTALL.DLL", cchWideChar=17, lpMultiByteStr=0xbac940, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMIPNPINSTALL.DLL", lpUsedDefaultChar=0x0) returned 17 [0023.765] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMLUA.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMLUA.DLL", cchWideChar=9, lpMultiByteStr=0xbac988, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMLUA.DLL", lpUsedDefaultChar=0x0) returned 9 [0023.765] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMPBK32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMPBK32.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMPBK32.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.765] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMSTPLUA.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMSTPLUA.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMSTPLUA.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.765] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMUTIL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMUTIL.DLL", cchWideChar=10, lpMultiByteStr=0xbac940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMUTIL.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.766] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNGAUDIT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNGAUDIT.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CNGAUDIT.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.766] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNGPROVIDER.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0023.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNGPROVIDER.DLL", cchWideChar=15, lpMultiByteStr=0xbac940, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CNGPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 15 [0023.766] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNVFAT.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNVFAT.DLL", cchWideChar=10, lpMultiByteStr=0xbac988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CNVFAT.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.766] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLBACT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLBACT.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COLBACT.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.766] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLORCNV.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLORCNV.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COLORCNV.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.766] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLORUI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLORUI.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COLORUI.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.766] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.766] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMCAT.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMCAT.DLL", cchWideChar=10, lpMultiByteStr=0xbac988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMCAT.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.767] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMCTL32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMCTL32.DLL", cchWideChar=12, lpMultiByteStr=0xbac940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMCTL32.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.767] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMDLG32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMDLG32.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMDLG32.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.767] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMPOBJ.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMPOBJ.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPOBJ.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.767] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMPSTUI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMPSTUI.DLL", cchWideChar=12, lpMultiByteStr=0xbac988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPSTUI.DLL", lpUsedDefaultChar=0x0) returned 12 [0023.767] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMREPL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMREPL.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMREPL.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.767] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMRES.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMRES.DLL", cchWideChar=10, lpMultiByteStr=0xbac988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMRES.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.767] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMSNAP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMSNAP.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMSNAP.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.767] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMSVCS.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMSVCS.DLL", cchWideChar=11, lpMultiByteStr=0xbac988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMSVCS.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.767] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMUID.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMUID.DLL", cchWideChar=10, lpMultiByteStr=0xbac940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMUID.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.767] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONCRT140.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0023.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONCRT140.DLL", cchWideChar=13, lpMultiByteStr=0xbac988, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONCRT140.DLL", lpUsedDefaultChar=0x0) returned 13 [0023.768] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONNECT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONNECT.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONNECT.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.768] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONSOLE.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONSOLE.DLL", cchWideChar=11, lpMultiByteStr=0xbac988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONSOLE.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.768] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CORPOL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CORPOL.DLL", cchWideChar=10, lpMultiByteStr=0xbac940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CORPOL.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.768] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CPFILTERS.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0023.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CPFILTERS.DLL", cchWideChar=13, lpMultiByteStr=0xbac988, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CPFILTERS.DLL", lpUsedDefaultChar=0x0) returned 13 [0023.768] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CREDSSP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CREDSSP.DLL", cchWideChar=11, lpMultiByteStr=0xbac940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CREDSSP.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.768] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CREDUI.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CREDUI.DLL", cchWideChar=10, lpMultiByteStr=0xbac988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CREDUI.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.768] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CRTDLL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CRTDLL.DLL", cchWideChar=10, lpMultiByteStr=0xbac940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CRTDLL.DLL", lpUsedDefaultChar=0x0) returned 10 [0023.768] FindNextFileW (in: hFindFile=0x4998d8, lpFindFileData=0x3af7e4 | out: lpFindFileData=0x3af7e4) returned 1 [0023.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CRYPT32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CRYPT32.DLL", cchWideChar=11, lpMultiByteStr=0xbac988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CRYPT32.DLL", lpUsedDefaultChar=0x0) returned 11 [0023.768] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="crypt32.dll", BaseAddress=0x3afa58 | out: BaseAddress=0x3afa58*=0x75720000) returned 0x0 [0023.980] FindClose (in: hFindFile=0x4998d8 | out: hFindFile=0x4998d8) returned 1 [0023.980] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdXOKTkkjURSPoRv6ciKwuUyK8\r\n+7EiuEHzxMGanjcW6+UbzAT1+MKH43GnfnWdTedvkgYD5Zg8lNUasTJ0FdRzHLDO\r\np5ciKIG0vITHV9kDtV/NtU2M/uKYO51wmO4fC2eLWZRS6ru7CQNJYfId0nXGFmU6\r\n3tqF+NLM1KW2f/gHnwIDAQAB\r\n-----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x0, pcbBinary=0x3afa80, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x0, pcbBinary=0x3afa80, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0023.981] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdXOKTkkjURSPoRv6ciKwuUyK8\r\n+7EiuEHzxMGanjcW6+UbzAT1+MKH43GnfnWdTedvkgYD5Zg8lNUasTJ0FdRzHLDO\r\np5ciKIG0vITHV9kDtV/NtU2M/uKYO51wmO4fC2eLWZRS6ru7CQNJYfId0nXGFmU6\r\n3tqF+NLM1KW2f/gHnwIDAQAB\r\n-----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x887a18, pcbBinary=0x3afa80, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x887a18, pcbBinary=0x3afa80, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0023.981] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x8, pbEncoded=0x887a18, cbEncoded=0xa2, dwFlags=0x0, pvStructInfo=0x0, pcbStructInfo=0x3afa80 | out: pvStructInfo=0x0, pcbStructInfo=0x3afa80) returned 1 [0023.986] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x8, pbEncoded=0x887a18, cbEncoded=0xa2, dwFlags=0x0, pvStructInfo=0x8880a8, pcbStructInfo=0x3afa80 | out: pvStructInfo=0x8880a8, pcbStructInfo=0x3afa80) returned 1 [0023.986] CryptImportPublicKeyInfo (in: hCryptProv=0x498400, dwCertEncodingType=0x10001, pInfo=0x8880a8*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x8880d8*, PublicKey.cbData=0x8c, PublicKey.pbData=0x8880e0*, PublicKey.cUnusedBits=0x0), phKey=0x3afa88 | out: phKey=0x3afa88*=0x4998d8) returned 1 [0023.988] ReleaseMutex (hMutex=0x100) returned 1 [0023.989] StartServiceCtrlDispatcherW (lpServiceTable=0x3afaf8*(lpServiceName="", lpServiceProc=0x101f270)) returned 0 [0023.993] GetLastError () returned 0x427 [0023.993] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE\" " [0023.993] CommandLineToArgvW (in: lpCmdLine="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE\" ", pNumArgs=0x3afae8 | out: pNumArgs=0x3afae8) returned 0x4b2228*="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE" [0023.993] Wow64DisableWow64FsRedirection (in: OldValue=0x3afac8 | out: OldValue=0x3afac8*=0x0) returned 1 [0023.993] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x8880a8, nSize=0x200 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cusersgrujaappdataroaming6xx3wi1icfwjbn6f1od~1.exe")) returned 0x58 [0023.994] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x8888b0, nSize=0x200 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cusersgrujaappdataroaming6xx3wi1icfwjbn6f1od~1.exe")) returned 0x58 [0023.994] SHRegDuplicateHKey (hkey=0x80000001) returned 0x80000001 [0023.994] RegEnumKeyW (in: hKey=0x80000001, dwIndex=0x0, lpName=0x8898c0, cchName=0x104 | out: lpName="AppEvents") returned 0x0 [0023.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appevents", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0023.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appevents", cchWideChar=9, lpMultiByteStr=0xbac1f0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="appevents", lpUsedDefaultChar=0x0) returned 9 [0023.994] RegEnumKeyW (in: hKey=0x80000001, dwIndex=0x1, lpName=0x8898c0, cchName=0x104 | out: lpName="Console") returned 0x0 [0023.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="console", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="console", cchWideChar=7, lpMultiByteStr=0xbac238, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="console", lpUsedDefaultChar=0x0) returned 7 [0023.994] RegEnumKeyW (in: hKey=0x80000001, dwIndex=0x2, lpName=0x8898c0, cchName=0x104 | out: lpName="Control Panel") returned 0x0 [0023.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="control panel", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0023.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="control panel", cchWideChar=13, lpMultiByteStr=0xbac1f0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="control panel", lpUsedDefaultChar=0x0) returned 13 [0023.994] RegEnumKeyW (in: hKey=0x80000001, dwIndex=0x3, lpName=0x8898c0, cchName=0x104 | out: lpName="Environment") returned 0x0 [0023.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="environment", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="environment", cchWideChar=11, lpMultiByteStr=0xbac238, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="environment", lpUsedDefaultChar=0x0) returned 11 [0023.994] RegEnumKeyW (in: hKey=0x80000001, dwIndex=0x4, lpName=0x8898c0, cchName=0x104 | out: lpName="EUDC") returned 0x0 [0023.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eudc", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0023.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eudc", cchWideChar=4, lpMultiByteStr=0xbac1f0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eudc", lpUsedDefaultChar=0x0) returned 4 [0023.994] RegEnumKeyW (in: hKey=0x80000001, dwIndex=0x5, lpName=0x8898c0, cchName=0x104 | out: lpName="Identities") returned 0x0 [0023.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identities", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.995] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identities", cchWideChar=10, lpMultiByteStr=0xbac238, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="identities", lpUsedDefaultChar=0x0) returned 10 [0023.995] RegEnumKeyW (in: hKey=0x80000001, dwIndex=0x6, lpName=0x8898c0, cchName=0x104 | out: lpName="Keyboard Layout") returned 0x0 [0023.995] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="keyboard layout", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0023.995] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="keyboard layout", cchWideChar=15, lpMultiByteStr=0xbac1f0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="keyboard layout", lpUsedDefaultChar=0x0) returned 15 [0023.995] RegEnumKeyW (in: hKey=0x80000001, dwIndex=0x7, lpName=0x8898c0, cchName=0x104 | out: lpName="Network") returned 0x0 [0023.995] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="network", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.995] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="network", cchWideChar=7, lpMultiByteStr=0xbac238, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="network", lpUsedDefaultChar=0x0) returned 7 [0023.995] RegEnumKeyW (in: hKey=0x80000001, dwIndex=0x8, lpName=0x8898c0, cchName=0x104 | out: lpName="Printers") returned 0x0 [0023.995] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="printers", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.995] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="printers", cchWideChar=8, lpMultiByteStr=0xbac1f0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="printers", lpUsedDefaultChar=0x0) returned 8 [0023.995] RegEnumKeyW (in: hKey=0x80000001, dwIndex=0x9, lpName=0x8898c0, cchName=0x104 | out: lpName="Software") returned 0x0 [0023.995] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.995] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0xbac238, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="software", lpUsedDefaultChar=0x0) returned 8 [0023.995] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software", ulOptions=0x0, samDesired=0x20109, phkResult=0x3af5a0 | out: phkResult=0x3af5a0*=0x11c) returned 0x0 [0023.995] RegCloseKey (hKey=0x80000001) returned 0x0 [0023.995] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x0, lpName=0x8898c0, cchName=0x104 | out: lpName="Adobe") returned 0x0 [0023.995] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="adobe", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0023.995] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="adobe", cchWideChar=5, lpMultiByteStr=0xbac1f0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="adobe", lpUsedDefaultChar=0x0) returned 5 [0023.995] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x1, lpName=0x8898c0, cchName=0x104 | out: lpName="AppDataLow") returned 0x0 [0023.995] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appdatalow", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appdatalow", cchWideChar=10, lpMultiByteStr=0xbac238, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="appdatalow", lpUsedDefaultChar=0x0) returned 10 [0023.996] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x2, lpName=0x8898c0, cchName=0x104 | out: lpName="Clients") returned 0x0 [0023.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clients", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clients", cchWideChar=7, lpMultiByteStr=0xbac1f0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clients", lpUsedDefaultChar=0x0) returned 7 [0023.996] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x3, lpName=0x8898c0, cchName=0x104 | out: lpName="Google") returned 0x0 [0023.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="google", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0023.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="google", cchWideChar=6, lpMultiByteStr=0xbac238, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="google", lpUsedDefaultChar=0x0) returned 6 [0023.996] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x4, lpName=0x8898c0, cchName=0x104 | out: lpName="JavaSoft") returned 0x0 [0023.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="javasoft", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="javasoft", cchWideChar=8, lpMultiByteStr=0xbac1f0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="javasoft", lpUsedDefaultChar=0x0) returned 8 [0023.996] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x5, lpName=0x8898c0, cchName=0x104 | out: lpName="Macromedia") returned 0x0 [0023.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="macromedia", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="macromedia", cchWideChar=10, lpMultiByteStr=0xbac238, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="macromedia", lpUsedDefaultChar=0x0) returned 10 [0023.996] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x6, lpName=0x8898c0, cchName=0x104 | out: lpName="Microsoft") returned 0x0 [0023.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0023.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft", cchWideChar=9, lpMultiByteStr=0xbac1f0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft", lpUsedDefaultChar=0x0) returned 9 [0023.996] RegOpenKeyExW (in: hKey=0x11c, lpSubKey="Microsoft", ulOptions=0x0, samDesired=0x20109, phkResult=0x3af5a0 | out: phkResult=0x3af5a0*=0x118) returned 0x0 [0023.996] RegCloseKey (hKey=0x11c) returned 0x0 [0023.996] RegEnumKeyW (in: hKey=0x118, dwIndex=0x0, lpName=0x8898c0, cchName=0x104 | out: lpName="Active Setup") returned 0x0 [0023.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="active setup", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0023.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="active setup", cchWideChar=12, lpMultiByteStr=0xbac238, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="active setup", lpUsedDefaultChar=0x0) returned 12 [0023.997] RegEnumKeyW (in: hKey=0x118, dwIndex=0x1, lpName=0x8898c0, cchName=0x104 | out: lpName="ActiveMovie") returned 0x0 [0023.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="activemovie", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="activemovie", cchWideChar=11, lpMultiByteStr=0xbac1f0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="activemovie", lpUsedDefaultChar=0x0) returned 11 [0023.997] RegEnumKeyW (in: hKey=0x118, dwIndex=0x2, lpName=0x8898c0, cchName=0x104 | out: lpName="Advanced INF Setup") returned 0x0 [0023.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="advanced inf setup", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0023.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="advanced inf setup", cchWideChar=18, lpMultiByteStr=0xbac238, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="advanced inf setup", lpUsedDefaultChar=0x0) returned 18 [0023.997] RegEnumKeyW (in: hKey=0x118, dwIndex=0x3, lpName=0x8898c0, cchName=0x104 | out: lpName="ASF Stream Descriptor File") returned 0x0 [0023.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="asf stream descriptor file", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0023.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="asf stream descriptor file", cchWideChar=26, lpMultiByteStr=0xbac1f0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="asf stream descriptor file", lpUsedDefaultChar=0x0) returned 26 [0023.997] RegEnumKeyW (in: hKey=0x118, dwIndex=0x4, lpName=0x8898c0, cchName=0x104 | out: lpName="Assistance") returned 0x0 [0023.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="assistance", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0023.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="assistance", cchWideChar=10, lpMultiByteStr=0xbac238, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="assistance", lpUsedDefaultChar=0x0) returned 10 [0023.997] RegEnumKeyW (in: hKey=0x118, dwIndex=0x5, lpName=0x8898c0, cchName=0x104 | out: lpName="Command Processor") returned 0x0 [0023.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="command processor", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0023.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="command processor", cchWideChar=17, lpMultiByteStr=0xbac1f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="command processor", lpUsedDefaultChar=0x0) returned 17 [0023.997] RegEnumKeyW (in: hKey=0x118, dwIndex=0x6, lpName=0x8898c0, cchName=0x104 | out: lpName="CTF") returned 0x0 [0023.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ctf", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ctf", cchWideChar=3, lpMultiByteStr=0xbac238, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ctf", lpUsedDefaultChar=0x0) returned 3 [0023.997] RegEnumKeyW (in: hKey=0x118, dwIndex=0x7, lpName=0x8898c0, cchName=0x104 | out: lpName="Direct3D") returned 0x0 [0023.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="direct3d", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="direct3d", cchWideChar=8, lpMultiByteStr=0xbac1f0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="direct3d", lpUsedDefaultChar=0x0) returned 8 [0023.998] RegEnumKeyW (in: hKey=0x118, dwIndex=0x8, lpName=0x8898c0, cchName=0x104 | out: lpName="EventSystem") returned 0x0 [0023.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventsystem", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0023.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventsystem", cchWideChar=11, lpMultiByteStr=0xbac238, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eventsystem", lpUsedDefaultChar=0x0) returned 11 [0023.998] RegEnumKeyW (in: hKey=0x118, dwIndex=0x9, lpName=0x8898c0, cchName=0x104 | out: lpName="Exchange") returned 0x0 [0023.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="exchange", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0023.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="exchange", cchWideChar=8, lpMultiByteStr=0xbac1f0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="exchange", lpUsedDefaultChar=0x0) returned 8 [0023.998] RegEnumKeyW (in: hKey=0x118, dwIndex=0xa, lpName=0x8898c0, cchName=0x104 | out: lpName="Fax") returned 0x0 [0023.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fax", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fax", cchWideChar=3, lpMultiByteStr=0xbac238, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fax", lpUsedDefaultChar=0x0) returned 3 [0023.998] RegEnumKeyW (in: hKey=0x118, dwIndex=0xb, lpName=0x8898c0, cchName=0x104 | out: lpName="Feeds") returned 0x0 [0023.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="feeds", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0023.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="feeds", cchWideChar=5, lpMultiByteStr=0xbac1f0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="feeds", lpUsedDefaultChar=0x0) returned 5 [0023.998] RegEnumKeyW (in: hKey=0x118, dwIndex=0xc, lpName=0x8898c0, cchName=0x104 | out: lpName="FTP") returned 0x0 [0023.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ftp", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ftp", cchWideChar=3, lpMultiByteStr=0xbac238, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ftp", lpUsedDefaultChar=0x0) returned 3 [0023.998] RegEnumKeyW (in: hKey=0x118, dwIndex=0xd, lpName=0x8898c0, cchName=0x104 | out: lpName="GDIPlus") returned 0x0 [0023.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gdiplus", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0023.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gdiplus", cchWideChar=7, lpMultiByteStr=0xbac1f0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gdiplus", lpUsedDefaultChar=0x0) returned 7 [0023.998] RegEnumKeyW (in: hKey=0x118, dwIndex=0xe, lpName=0x8898c0, cchName=0x104 | out: lpName="IAM") returned 0x0 [0023.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iam", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iam", cchWideChar=3, lpMultiByteStr=0xbac238, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iam", lpUsedDefaultChar=0x0) returned 3 [0023.999] RegEnumKeyW (in: hKey=0x118, dwIndex=0xf, lpName=0x8898c0, cchName=0x104 | out: lpName="IME") returned 0x0 [0023.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ime", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0023.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ime", cchWideChar=3, lpMultiByteStr=0xbac1f0, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ime", lpUsedDefaultChar=0x0) returned 3 [0023.999] RegEnumKeyW (in: hKey=0x118, dwIndex=0x10, lpName=0x8898c0, cchName=0x104 | out: lpName="IMEJP") returned 0x0 [0023.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imejp", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0023.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imejp", cchWideChar=5, lpMultiByteStr=0xbac238, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imejp", lpUsedDefaultChar=0x0) returned 5 [0023.999] RegEnumKeyW (in: hKey=0x118, dwIndex=0x11, lpName=0x8898c0, cchName=0x104 | out: lpName="IMEMIP") returned 0x0 [0023.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imemip", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0023.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imemip", cchWideChar=6, lpMultiByteStr=0xbac1f0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imemip", lpUsedDefaultChar=0x0) returned 6 [0023.999] RegEnumKeyW (in: hKey=0x118, dwIndex=0x12, lpName=0x8898c0, cchName=0x104 | out: lpName="Internet Connection Wizard") returned 0x0 [0023.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet connection wizard", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0023.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet connection wizard", cchWideChar=26, lpMultiByteStr=0xbac238, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet connection wizard", lpUsedDefaultChar=0x0) returned 26 [0023.999] RegEnumKeyW (in: hKey=0x118, dwIndex=0x13, lpName=0x8898c0, cchName=0x104 | out: lpName="Internet Explorer") returned 0x0 [0023.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet explorer", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0023.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet explorer", cchWideChar=17, lpMultiByteStr=0xbac1f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet explorer", lpUsedDefaultChar=0x0) returned 17 [0023.999] RegEnumKeyW (in: hKey=0x118, dwIndex=0x14, lpName=0x8898c0, cchName=0x104 | out: lpName="Internet Mail and News") returned 0x0 [0024.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet mail and news", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0024.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet mail and news", cchWideChar=22, lpMultiByteStr=0xbac238, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet mail and news", lpUsedDefaultChar=0x0) returned 22 [0024.000] RegEnumKeyW (in: hKey=0x118, dwIndex=0x15, lpName=0x8898c0, cchName=0x104 | out: lpName="Java VM") returned 0x0 [0024.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="java vm", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0024.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="java vm", cchWideChar=7, lpMultiByteStr=0xbac1f0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="java vm", lpUsedDefaultChar=0x0) returned 7 [0024.000] RegEnumKeyW (in: hKey=0x118, dwIndex=0x16, lpName=0x8898c0, cchName=0x104 | out: lpName="Keyboard") returned 0x0 [0024.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="keyboard", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0024.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="keyboard", cchWideChar=8, lpMultiByteStr=0xbac238, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="keyboard", lpUsedDefaultChar=0x0) returned 8 [0024.000] RegEnumKeyW (in: hKey=0x118, dwIndex=0x17, lpName=0x8898c0, cchName=0x104 | out: lpName="MediaPlayer") returned 0x0 [0024.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mediaplayer", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0024.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mediaplayer", cchWideChar=11, lpMultiByteStr=0xbac1f0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mediaplayer", lpUsedDefaultChar=0x0) returned 11 [0024.000] RegEnumKeyW (in: hKey=0x118, dwIndex=0x18, lpName=0x8898c0, cchName=0x104 | out: lpName="Microsoft Management Console") returned 0x0 [0024.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft management console", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0024.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft management console", cchWideChar=28, lpMultiByteStr=0xbac238, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft management console", lpUsedDefaultChar=0x0) returned 28 [0024.000] RegEnumKeyW (in: hKey=0x118, dwIndex=0x19, lpName=0x8898c0, cchName=0x104 | out: lpName="MS Design Tools") returned 0x0 [0024.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ms design tools", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0024.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ms design tools", cchWideChar=15, lpMultiByteStr=0xbac1f0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ms design tools", lpUsedDefaultChar=0x0) returned 15 [0024.001] RegEnumKeyW (in: hKey=0x118, dwIndex=0x1a, lpName=0x8898c0, cchName=0x104 | out: lpName="MSDAIPP") returned 0x0 [0024.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdaipp", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0024.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdaipp", cchWideChar=7, lpMultiByteStr=0xbac238, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdaipp", lpUsedDefaultChar=0x0) returned 7 [0024.001] RegEnumKeyW (in: hKey=0x118, dwIndex=0x1b, lpName=0x8898c0, cchName=0x104 | out: lpName="MSF") returned 0x0 [0024.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msf", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0024.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msf", cchWideChar=3, lpMultiByteStr=0xbac1f0, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msf", lpUsedDefaultChar=0x0) returned 3 [0024.001] RegEnumKeyW (in: hKey=0x118, dwIndex=0x1c, lpName=0x8898c0, cchName=0x104 | out: lpName="Multimedia") returned 0x0 [0024.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="multimedia", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0024.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="multimedia", cchWideChar=10, lpMultiByteStr=0xbac238, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="multimedia", lpUsedDefaultChar=0x0) returned 10 [0024.001] RegEnumKeyW (in: hKey=0x118, dwIndex=0x1d, lpName=0x8898c0, cchName=0x104 | out: lpName="Notepad") returned 0x0 [0024.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="notepad", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0024.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="notepad", cchWideChar=7, lpMultiByteStr=0xbac1f0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="notepad", lpUsedDefaultChar=0x0) returned 7 [0024.001] RegEnumKeyW (in: hKey=0x118, dwIndex=0x1e, lpName=0x8898c0, cchName=0x104 | out: lpName="Office") returned 0x0 [0024.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="office", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0024.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="office", cchWideChar=6, lpMultiByteStr=0xbac238, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="office", lpUsedDefaultChar=0x0) returned 6 [0024.001] RegEnumKeyW (in: hKey=0x118, dwIndex=0x1f, lpName=0x8898c0, cchName=0x104 | out: lpName="PeerNet") returned 0x0 [0024.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="peernet", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0024.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="peernet", cchWideChar=7, lpMultiByteStr=0xbac1f0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="peernet", lpUsedDefaultChar=0x0) returned 7 [0024.001] RegEnumKeyW (in: hKey=0x118, dwIndex=0x20, lpName=0x8898c0, cchName=0x104 | out: lpName="Protected Storage System Provider") returned 0x0 [0024.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="protected storage system provider", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0024.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="protected storage system provider", cchWideChar=33, lpMultiByteStr=0xbac238, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="protected storage system provider", lpUsedDefaultChar=0x0) returned 33 [0024.002] RegEnumKeyW (in: hKey=0x118, dwIndex=0x21, lpName=0x8898c0, cchName=0x104 | out: lpName="RAS AutoDial") returned 0x0 [0024.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ras autodial", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0024.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ras autodial", cchWideChar=12, lpMultiByteStr=0xbac1f0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ras autodial", lpUsedDefaultChar=0x0) returned 12 [0024.002] RegEnumKeyW (in: hKey=0x118, dwIndex=0x22, lpName=0x8898c0, cchName=0x104 | out: lpName="RAS Phonebook") returned 0x0 [0024.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ras phonebook", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0024.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ras phonebook", cchWideChar=13, lpMultiByteStr=0xbac238, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ras phonebook", lpUsedDefaultChar=0x0) returned 13 [0024.002] RegEnumKeyW (in: hKey=0x118, dwIndex=0x23, lpName=0x8898c0, cchName=0x104 | out: lpName="Remote Assistance") returned 0x0 [0024.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="remote assistance", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0024.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="remote assistance", cchWideChar=17, lpMultiByteStr=0xbac1f0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="remote assistance", lpUsedDefaultChar=0x0) returned 17 [0024.002] RegEnumKeyW (in: hKey=0x118, dwIndex=0x24, lpName=0x8898c0, cchName=0x104 | out: lpName="Shared") returned 0x0 [0024.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0024.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared", cchWideChar=6, lpMultiByteStr=0xbac238, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="shared", lpUsedDefaultChar=0x0) returned 6 [0024.002] RegEnumKeyW (in: hKey=0x118, dwIndex=0x25, lpName=0x8898c0, cchName=0x104 | out: lpName="Shared Tools") returned 0x0 [0024.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared tools", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0024.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared tools", cchWideChar=12, lpMultiByteStr=0xbac1f0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="shared tools", lpUsedDefaultChar=0x0) returned 12 [0024.002] RegEnumKeyW (in: hKey=0x118, dwIndex=0x26, lpName=0x8898c0, cchName=0x104 | out: lpName="SideShow") returned 0x0 [0024.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sideshow", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0024.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sideshow", cchWideChar=8, lpMultiByteStr=0xbac238, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sideshow", lpUsedDefaultChar=0x0) returned 8 [0024.003] RegEnumKeyW (in: hKey=0x118, dwIndex=0x27, lpName=0x8898c0, cchName=0x104 | out: lpName="Speech") returned 0x0 [0024.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="speech", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0024.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="speech", cchWideChar=6, lpMultiByteStr=0xbac1f0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="speech", lpUsedDefaultChar=0x0) returned 6 [0024.003] RegEnumKeyW (in: hKey=0x118, dwIndex=0x28, lpName=0x8898c0, cchName=0x104 | out: lpName="SQMClient") returned 0x0 [0024.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sqmclient", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0024.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sqmclient", cchWideChar=9, lpMultiByteStr=0xbac238, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqmclient", lpUsedDefaultChar=0x0) returned 9 [0024.003] RegEnumKeyW (in: hKey=0x118, dwIndex=0x29, lpName=0x8898c0, cchName=0x104 | out: lpName="SystemCertificates") returned 0x0 [0024.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="systemcertificates", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0024.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="systemcertificates", cchWideChar=18, lpMultiByteStr=0xbac1f0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="systemcertificates", lpUsedDefaultChar=0x0) returned 18 [0024.003] RegEnumKeyW (in: hKey=0x118, dwIndex=0x2a, lpName=0x8898c0, cchName=0x104 | out: lpName="VBA") returned 0x0 [0024.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vba", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0024.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vba", cchWideChar=3, lpMultiByteStr=0xbac238, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vba", lpUsedDefaultChar=0x0) returned 3 [0024.003] RegEnumKeyW (in: hKey=0x118, dwIndex=0x2b, lpName=0x8898c0, cchName=0x104 | out: lpName="VisualStudio") returned 0x0 [0024.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="visualstudio", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0024.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="visualstudio", cchWideChar=12, lpMultiByteStr=0xbac1f0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="visualstudio", lpUsedDefaultChar=0x0) returned 12 [0024.003] RegEnumKeyW (in: hKey=0x118, dwIndex=0x2c, lpName=0x8898c0, cchName=0x104 | out: lpName="WAB") returned 0x0 [0024.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wab", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0024.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wab", cchWideChar=3, lpMultiByteStr=0xbac238, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wab", lpUsedDefaultChar=0x0) returned 3 [0024.003] RegEnumKeyW (in: hKey=0x118, dwIndex=0x2d, lpName=0x8898c0, cchName=0x104 | out: lpName="Web Service Providers") returned 0x0 [0024.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="web service providers", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0024.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="web service providers", cchWideChar=21, lpMultiByteStr=0xbac1f0, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="web service providers", lpUsedDefaultChar=0x0) returned 21 [0024.004] RegEnumKeyW (in: hKey=0x118, dwIndex=0x2e, lpName=0x8898c0, cchName=0x104 | out: lpName="wfs") returned 0x0 [0024.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wfs", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0024.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wfs", cchWideChar=3, lpMultiByteStr=0xbac238, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wfs", lpUsedDefaultChar=0x0) returned 3 [0024.004] RegEnumKeyW (in: hKey=0x118, dwIndex=0x2f, lpName=0x8898c0, cchName=0x104 | out: lpName="Windows") returned 0x0 [0024.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="windows", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0024.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="windows", cchWideChar=7, lpMultiByteStr=0xbac1f0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="windows", lpUsedDefaultChar=0x0) returned 7 [0024.004] RegOpenKeyExW (in: hKey=0x118, lpSubKey="Windows", ulOptions=0x0, samDesired=0x20109, phkResult=0x3af5a0 | out: phkResult=0x3af5a0*=0x11c) returned 0x0 [0024.004] RegCloseKey (hKey=0x118) returned 0x0 [0024.004] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x0, lpName=0x8898c0, cchName=0x104 | out: lpName="CurrentVersion") returned 0x0 [0024.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="currentversion", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0024.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="currentversion", cchWideChar=14, lpMultiByteStr=0xbac238, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="currentversion", lpUsedDefaultChar=0x0) returned 14 [0024.004] RegOpenKeyExW (in: hKey=0x11c, lpSubKey="CurrentVersion", ulOptions=0x0, samDesired=0x20109, phkResult=0x3af5a0 | out: phkResult=0x3af5a0*=0x118) returned 0x0 [0024.004] RegCloseKey (hKey=0x11c) returned 0x0 [0024.004] RegEnumKeyW (in: hKey=0x118, dwIndex=0x0, lpName=0x8898c0, cchName=0x104 | out: lpName="Action Center") returned 0x0 [0024.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="action center", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0024.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="action center", cchWideChar=13, lpMultiByteStr=0xbac1f0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="action center", lpUsedDefaultChar=0x0) returned 13 [0024.005] RegEnumKeyW (in: hKey=0x118, dwIndex=0x1, lpName=0x8898c0, cchName=0x104 | out: lpName="Applets") returned 0x0 [0024.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="applets", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0024.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="applets", cchWideChar=7, lpMultiByteStr=0xbac238, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="applets", lpUsedDefaultChar=0x0) returned 7 [0024.005] RegEnumKeyW (in: hKey=0x118, dwIndex=0x2, lpName=0x8898c0, cchName=0x104 | out: lpName="Controls Folder (Wow64)") returned 0x0 [0024.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="controls folder (wow64)", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0024.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="controls folder (wow64)", cchWideChar=23, lpMultiByteStr=0xbac1f0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="controls folder (wow64)", lpUsedDefaultChar=0x0) returned 23 [0024.005] RegEnumKeyW (in: hKey=0x118, dwIndex=0x3, lpName=0x8898c0, cchName=0x104 | out: lpName="Explorer") returned 0x0 [0024.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0024.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer", cchWideChar=8, lpMultiByteStr=0xbac238, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer", lpUsedDefaultChar=0x0) returned 8 [0024.005] RegOpenKeyExW (in: hKey=0x118, lpSubKey="Explorer", ulOptions=0x0, samDesired=0x20109, phkResult=0x3af5a0 | out: phkResult=0x3af5a0*=0x11c) returned 0x0 [0024.005] RegCloseKey (hKey=0x118) returned 0x0 [0024.005] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x0, lpName=0x8898c0, cchName=0x104 | out: lpName="Advanced") returned 0x0 [0024.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="advanced", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0024.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="advanced", cchWideChar=8, lpMultiByteStr=0xbac1f0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="advanced", lpUsedDefaultChar=0x0) returned 8 [0024.005] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x1, lpName=0x8898c0, cchName=0x104 | out: lpName="ApplicationDestinations") returned 0x0 [0024.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="applicationdestinations", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0024.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="applicationdestinations", cchWideChar=23, lpMultiByteStr=0xbac238, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="applicationdestinations", lpUsedDefaultChar=0x0) returned 23 [0024.005] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x2, lpName=0x8898c0, cchName=0x104 | out: lpName="AutoComplete") returned 0x0 [0024.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="autocomplete", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0024.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="autocomplete", cchWideChar=12, lpMultiByteStr=0xbac1f0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="autocomplete", lpUsedDefaultChar=0x0) returned 12 [0024.006] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x3, lpName=0x8898c0, cchName=0x104 | out: lpName="AutoplayHandlers") returned 0x0 [0024.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="autoplayhandlers", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0024.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="autoplayhandlers", cchWideChar=16, lpMultiByteStr=0xbac238, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="autoplayhandlers", lpUsedDefaultChar=0x0) returned 16 [0024.006] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x4, lpName=0x8898c0, cchName=0x104 | out: lpName="BitBucket") returned 0x0 [0024.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bitbucket", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0024.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bitbucket", cchWideChar=9, lpMultiByteStr=0xbac1f0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bitbucket", lpUsedDefaultChar=0x0) returned 9 [0024.006] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x5, lpName=0x8898c0, cchName=0x104 | out: lpName="CabinetState") returned 0x0 [0024.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cabinetstate", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0024.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cabinetstate", cchWideChar=12, lpMultiByteStr=0xbac238, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cabinetstate", lpUsedDefaultChar=0x0) returned 12 [0024.006] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x6, lpName=0x8898c0, cchName=0x104 | out: lpName="CD Burning") returned 0x0 [0024.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cd burning", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0024.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cd burning", cchWideChar=10, lpMultiByteStr=0xbac1f0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cd burning", lpUsedDefaultChar=0x0) returned 10 [0024.006] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x7, lpName=0x8898c0, cchName=0x104 | out: lpName="CIDOpen") returned 0x0 [0024.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cidopen", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0024.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cidopen", cchWideChar=7, lpMultiByteStr=0xbac238, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cidopen", lpUsedDefaultChar=0x0) returned 7 [0024.006] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x8, lpName=0x8898c0, cchName=0x104 | out: lpName="CLSID") returned 0x0 [0024.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clsid", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0024.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clsid", cchWideChar=5, lpMultiByteStr=0xbac1f0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clsid", lpUsedDefaultChar=0x0) returned 5 [0024.006] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x9, lpName=0x8898c0, cchName=0x104 | out: lpName="ComDlg32") returned 0x0 [0024.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="comdlg32", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0024.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="comdlg32", cchWideChar=8, lpMultiByteStr=0xbac238, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="comdlg32", lpUsedDefaultChar=0x0) returned 8 [0024.007] RegEnumKeyW (in: hKey=0x11c, dwIndex=0xa, lpName=0x8898c0, cchName=0x104 | out: lpName="Discardable") returned 0x0 [0024.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="discardable", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0024.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="discardable", cchWideChar=11, lpMultiByteStr=0xbac1f0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="discardable", lpUsedDefaultChar=0x0) returned 11 [0024.007] RegEnumKeyW (in: hKey=0x11c, dwIndex=0xb, lpName=0x8898c0, cchName=0x104 | out: lpName="FileExts") returned 0x0 [0024.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fileexts", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0024.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fileexts", cchWideChar=8, lpMultiByteStr=0xbac238, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fileexts", lpUsedDefaultChar=0x0) returned 8 [0024.007] RegEnumKeyW (in: hKey=0x11c, dwIndex=0xc, lpName=0x8898c0, cchName=0x104 | out: lpName="LowRegistry") returned 0x0 [0024.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lowregistry", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0024.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lowregistry", cchWideChar=11, lpMultiByteStr=0xbac1f0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lowregistry", lpUsedDefaultChar=0x0) returned 11 [0024.007] RegEnumKeyW (in: hKey=0x11c, dwIndex=0xd, lpName=0x8898c0, cchName=0x104 | out: lpName="MenuOrder") returned 0x0 [0024.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="menuorder", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0024.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="menuorder", cchWideChar=9, lpMultiByteStr=0xbac238, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="menuorder", lpUsedDefaultChar=0x0) returned 9 [0024.007] RegEnumKeyW (in: hKey=0x11c, dwIndex=0xe, lpName=0x8898c0, cchName=0x104 | out: lpName="Modules") returned 0x0 [0024.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="modules", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0024.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="modules", cchWideChar=7, lpMultiByteStr=0xbac1f0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="modules", lpUsedDefaultChar=0x0) returned 7 [0024.007] RegEnumKeyW (in: hKey=0x11c, dwIndex=0xf, lpName=0x8898c0, cchName=0x104 | out: lpName="MountPoints2") returned 0x0 [0024.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mountpoints2", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0024.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mountpoints2", cchWideChar=12, lpMultiByteStr=0xbac238, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mountpoints2", lpUsedDefaultChar=0x0) returned 12 [0024.007] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x10, lpName=0x8898c0, cchName=0x104 | out: lpName="NewShortcutHandlers") returned 0x0 [0024.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="newshortcuthandlers", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0024.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="newshortcuthandlers", cchWideChar=19, lpMultiByteStr=0xbac1f0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="newshortcuthandlers", lpUsedDefaultChar=0x0) returned 19 [0024.007] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x11, lpName=0x8898c0, cchName=0x104 | out: lpName="RecentDocs") returned 0x0 [0024.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="recentdocs", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0024.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="recentdocs", cchWideChar=10, lpMultiByteStr=0xbac238, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="recentdocs", lpUsedDefaultChar=0x0) returned 10 [0024.007] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x12, lpName=0x8898c0, cchName=0x104 | out: lpName="RunMRU") returned 0x0 [0024.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="runmru", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0024.008] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="runmru", cchWideChar=6, lpMultiByteStr=0xbac1f0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="runmru", lpUsedDefaultChar=0x0) returned 6 [0024.008] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x13, lpName=0x8898c0, cchName=0x104 | out: lpName="SearchPlatform") returned 0x0 [0024.008] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="searchplatform", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0024.008] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="searchplatform", cchWideChar=14, lpMultiByteStr=0xbac238, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="searchplatform", lpUsedDefaultChar=0x0) returned 14 [0024.008] RegEnumKeyW (in: hKey=0x11c, dwIndex=0x14, lpName=0x8898c0, cchName=0x104 | out: lpName="Shell Folders") returned 0x0 [0024.008] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shell folders", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0024.008] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shell folders", cchWideChar=13, lpMultiByteStr=0xbac1f0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="shell folders", lpUsedDefaultChar=0x0) returned 13 [0024.008] RegOpenKeyExW (in: hKey=0x11c, lpSubKey="Shell Folders", ulOptions=0x0, samDesired=0x20109, phkResult=0x3af5a0 | out: phkResult=0x3af5a0*=0x118) returned 0x0 [0024.008] RegCloseKey (hKey=0x11c) returned 0x0 [0024.008] RegEnumValueA (in: hKey=0x118, dwIndex=0x0, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="!Do not use this registry key", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.008] RegEnumValueA (in: hKey=0x118, dwIndex=0x1, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="AppData", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.008] RegEnumValueA (in: hKey=0x118, dwIndex=0x2, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Local AppData", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.008] RegEnumValueA (in: hKey=0x118, dwIndex=0x3, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="My Video", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.008] RegEnumValueA (in: hKey=0x118, dwIndex=0x4, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="{1B3EA5DC-B587-4786-B4EF-BD1DC332AEAE}", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.008] RegEnumValueA (in: hKey=0x118, dwIndex=0x5, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="My Pictures", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.008] RegEnumValueA (in: hKey=0x118, dwIndex=0x6, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Desktop", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.008] RegEnumValueA (in: hKey=0x118, dwIndex=0x7, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="History", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.009] RegEnumValueA (in: hKey=0x118, dwIndex=0x8, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="NetHood", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.009] RegEnumValueA (in: hKey=0x118, dwIndex=0x9, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="{56784854-C6CB-462B-8169-88E350ACB882}", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.009] RegEnumValueA (in: hKey=0x118, dwIndex=0xa, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Cookies", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.009] RegEnumValueA (in: hKey=0x118, dwIndex=0xb, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Favorites", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.009] RegEnumValueA (in: hKey=0x118, dwIndex=0xc, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SendTo", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.009] RegEnumValueA (in: hKey=0x118, dwIndex=0xd, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Start Menu", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.009] RegEnumValueA (in: hKey=0x118, dwIndex=0xe, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="My Music", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.009] RegEnumValueA (in: hKey=0x118, dwIndex=0xf, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Programs", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.009] RegEnumValueA (in: hKey=0x118, dwIndex=0x10, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Recent", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.009] RegEnumValueA (in: hKey=0x118, dwIndex=0x11, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="CD Burning", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.009] RegEnumValueA (in: hKey=0x118, dwIndex=0x12, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="PrintHood", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.009] RegEnumValueA (in: hKey=0x118, dwIndex=0x13, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="{7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.009] RegEnumValueA (in: hKey=0x118, dwIndex=0x14, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="{374DE290-123F-4565-9164-39C4925E467B}", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.009] RegEnumValueA (in: hKey=0x118, dwIndex=0x15, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="{A520A1A4-1780-4FF6-BD18-167343C5AF16}", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.009] RegEnumValueA (in: hKey=0x118, dwIndex=0x16, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Startup", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.009] RegEnumValueA (in: hKey=0x118, dwIndex=0x17, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Administrative Tools", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.009] RegEnumValueA (in: hKey=0x118, dwIndex=0x18, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Personal", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.010] RegEnumValueA (in: hKey=0x118, dwIndex=0x19, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="{BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.010] RegEnumValueA (in: hKey=0x118, dwIndex=0x1a, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Cache", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.010] RegEnumValueA (in: hKey=0x118, dwIndex=0x1b, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Templates", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.010] RegEnumValueA (in: hKey=0x118, dwIndex=0x1c, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="{4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.010] RegEnumValueA (in: hKey=0x118, dwIndex=0x1d, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Fonts", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0024.010] RegEnumValueA (in: hKey=0x118, dwIndex=0x1e, lpValueName=0x3af4e8, lpcchValueName=0x3af4e4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Fonts", lpcchValueName=0x3af4e4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x103 [0024.010] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac238, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0024.010] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbac238, cbMultiByte=7, lpWideCharStr=0x8811a8, cchWideChar=7 | out: lpWideCharStr="AppData") returned 7 [0024.010] RegQueryValueExW (in: hKey=0x118, lpValueName="AppData", lpReserved=0x0, lpType=0x3af5a4, lpData=0x0, lpcbData=0x3af5b4*=0x0 | out: lpType=0x3af5a4*=0x1, lpData=0x0, lpcbData=0x3af5b4*=0x5c) returned 0x0 [0024.010] RegQueryValueExW (in: hKey=0x118, lpValueName="AppData", lpReserved=0x0, lpType=0x3af5a4, lpData=0x8811a8, lpcbData=0x3af5b4*=0x5c | out: lpType=0x3af5a4*=0x1, lpData="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming", lpcbData=0x3af5b4*=0x5c) returned 0x0 [0024.010] GetShortPathNameW (in: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming", lpszShortPath=0x883778, cchBuffer=0x200 | out: lpszShortPath="C:\\Users\\5P5NRG~1\\AppData\\Roaming") returned 0x21 [0024.011] RegCloseKey (hKey=0x118) returned 0x0 [0024.011] CryptAcquireContextW (in: phProv=0x3af648, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af648*=0x4b22f0) returned 1 [0024.011] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af65c | out: pbBuffer=0x3af65c) returned 1 [0024.011] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.011] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.012] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.012] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.012] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.013] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.013] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.013] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.013] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.013] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.013] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.014] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.014] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.014] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.014] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.014] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.014] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.015] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.015] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.015] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.015] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.015] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.015] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.016] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.016] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.016] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.016] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.017] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.017] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.017] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.017] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.017] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.018] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.018] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.018] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.018] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.018] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.018] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.019] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.019] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.019] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.019] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.019] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.019] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.020] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.020] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.020] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.020] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.020] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.020] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.021] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.021] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.021] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.021] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.021] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.021] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.022] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.022] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.022] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.023] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.023] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.023] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.023] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.024] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.024] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.024] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.024] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.024] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.025] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.025] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.025] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.025] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.025] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.025] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.026] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.026] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.026] CryptAcquireContextW (in: phProv=0x3af644, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af644*=0x4b22f0) returned 1 [0024.026] CryptGenRandom (in: hProv=0x4b22f0, dwLen=0x4, pbBuffer=0x3af658 | out: pbBuffer=0x3af658) returned 1 [0024.026] CryptReleaseContext (hProv=0x4b22f0, dwFlags=0x0) returned 1 [0024.026] GetFileAttributesExW (in: lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\mov7tWJUGg" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\mov7twjugg"), fInfoLevelId=0x0, lpFileInformation=0x3af610 | out: lpFileInformation=0x3af610*(dwFileAttributes=0x3af940, ftCreationTime.dwLowDateTime=0x1016d29, ftCreationTime.dwHighDateTime=0xba0000, ftLastAccessTime.dwLowDateTime=0x8, ftLastAccessTime.dwHighDateTime=0x1018e92, ftLastWriteTime.dwLowDateTime=0x3afa58, ftLastWriteTime.dwHighDateTime=0x3af940, nFileSizeHigh=0x2, nFileSizeLow=0x3af918)) returned 0 [0024.026] GetLastError () returned 0x2 [0024.027] CreateFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\mov7tWJUGg" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\mov7twjugg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0x118 [0024.027] SetFileTime (hFile=0x118, lpCreationTime=0x0, lpLastAccessTime=0x3af654, lpLastWriteTime=0x3af654) returned 1 [0024.027] NtClose (Handle=0x118) returned 0x0 [0024.028] GetShortPathNameW (in: lpszLongPath="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\mov7tWJUGg", lpszShortPath=0x883778, cchBuffer=0x200 | out: lpszShortPath="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1") returned 0x2a [0024.028] GetFileAttributesExW (in: lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\mov7tWJUGg" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\mov7twjugg"), fInfoLevelId=0x0, lpFileInformation=0x3af650 | out: lpFileInformation=0x3af650*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x2567e2b0, ftCreationTime.dwHighDateTime=0x1d4af0a, ftLastAccessTime.dwLowDateTime=0x2567e2b0, ftLastAccessTime.dwHighDateTime=0x1d4af0a, ftLastWriteTime.dwLowDateTime=0x2567e2b0, ftLastWriteTime.dwHighDateTime=0x1d4af0a, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0024.028] SetFileAttributesW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\mov7tWJUGg", dwFileAttributes=0x80) returned 1 [0024.028] DeleteFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\mov7tWJUGg" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\mov7twjugg")) returned 1 [0024.028] GetSystemDirectoryW (in: lpBuffer=0x889a50, uSize=0x40 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0024.028] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\*.exe", fInfoLevelId=0x1, lpFindFileData=0x3af6a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3af6a8) returned 0x4b22f0 [0024.029] CryptAcquireContextW (in: phProv=0x3af664, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x3af664*=0x4b24e8) returned 1 [0024.029] CryptGenRandom (in: hProv=0x4b24e8, dwLen=0x4, pbBuffer=0x3af678 | out: pbBuffer=0x3af678) returned 1 [0024.029] CryptReleaseContext (hProv=0x4b24e8, dwFlags=0x0) returned 1 [0024.029] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.031] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.032] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.033] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.034] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.035] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.035] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.035] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.035] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.035] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.035] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.035] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.035] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.035] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.035] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.035] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.035] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.035] FindNextFileW (in: hFindFile=0x4b22f0, lpFindFileData=0x3af6a8 | out: lpFindFileData=0x3af6a8) returned 1 [0024.035] GetLastError () returned 0x12 [0024.035] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\*.exe", fInfoLevelId=0x1, lpFindFileData=0x3af6a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3af6a8) returned 0x4b2330 [0024.035] FindClose (in: hFindFile=0x4b22f0 | out: hFindFile=0x4b22f0) returned 1 [0024.036] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\BdeUnlockWizard.exe" (normalized: "c:\\windows\\system32\\bdeunlockwizard.exe"), fInfoLevelId=0x0, lpFileInformation=0x3af610 | out: lpFileInformation=0x3af610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc086969a, ftCreationTime.dwHighDateTime=0x1ca0410, ftLastAccessTime.dwLowDateTime=0xc086969a, ftLastAccessTime.dwHighDateTime=0x1ca0410, ftLastWriteTime.dwLowDateTime=0xda72bf00, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x18000)) returned 1 [0024.036] CreateFileW (lpFileName="C:\\Windows\\system32\\BdeUnlockWizard.exe" (normalized: "c:\\windows\\system32\\bdeunlockwizard.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x118 [0024.036] SetFileTime (hFile=0x118, lpCreationTime=0x0, lpLastAccessTime=0x3af654, lpLastWriteTime=0x3af654) returned 0 [0024.037] GetFileSize (in: hFile=0x118, lpFileSizeHigh=0x3af640 | out: lpFileSizeHigh=0x3af640*=0x0) returned 0x18000 [0024.037] SetFilePointer (in: hFile=0x118, lDistanceToMove=0, lpDistanceToMoveHigh=0x3af64c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x3af64c*=0) returned 0x0 [0024.037] ReadFile (in: hFile=0x118, lpBuffer=0x889a50, nNumberOfBytesToRead=0x18000, lpNumberOfBytesRead=0x3af680, lpOverlapped=0x0 | out: lpBuffer=0x889a50*, lpNumberOfBytesRead=0x3af680*=0x18000, lpOverlapped=0x0) returned 1 [0024.057] GetFileAttributesExW (in: lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\mov7tw~1"), fInfoLevelId=0x0, lpFileInformation=0x3af610 | out: lpFileInformation=0x3af610*(dwFileAttributes=0x34b2, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x100f630, ftLastAccessTime.dwLowDateTime=0x77a6e003, ftLastAccessTime.dwHighDateTime=0x1018e92, ftLastWriteTime.dwLowDateTime=0x3afa58, ftLastWriteTime.dwHighDateTime=0x3af940, nFileSizeHigh=0x2, nFileSizeLow=0x3af918)) returned 0 [0024.057] GetLastError () returned 0x2 [0024.057] CreateFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\mov7tw~1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0x118 [0024.057] SetFileTime (hFile=0x118, lpCreationTime=0x0, lpLastAccessTime=0x3af654, lpLastWriteTime=0x3af654) returned 1 [0024.057] WriteFile (in: hFile=0x118, lpBuffer=0x889a50*, nNumberOfBytesToWrite=0x18000, lpNumberOfBytesWritten=0x3af680, lpOverlapped=0x0 | out: lpBuffer=0x889a50*, lpNumberOfBytesWritten=0x3af680*=0x18000, lpOverlapped=0x0) returned 1 [0024.059] NtClose (Handle=0x118) returned 0x0 [0024.061] FindClose (in: hFindFile=0x4b2330 | out: hFindFile=0x4b2330) returned 1 [0024.061] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x883778, nSize=0x200 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cusersgrujaappdataroaming6xx3wi1icfwjbn6f1od~1.exe")) returned 0x58 [0024.062] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cusersgrujaappdataroaming6xx3wi1icfwjbn6f1od~1.exe"), fInfoLevelId=0x0, lpFileInformation=0x3af610 | out: lpFileInformation=0x3af610*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4e3404f0, ftCreationTime.dwHighDateTime=0x1d4ae36, ftLastAccessTime.dwLowDateTime=0x4e3404f0, ftLastAccessTime.dwHighDateTime=0x1d4ae36, ftLastWriteTime.dwLowDateTime=0x16583400, ftLastWriteTime.dwHighDateTime=0x1d4af0a, nFileSizeHigh=0x0, nFileSizeLow=0x20200)) returned 1 [0024.062] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\cusersgrujaappdataroaming6xx3wi1icfwjbn6f1od~1.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x11c [0024.062] SetFileTime (hFile=0x11c, lpCreationTime=0x0, lpLastAccessTime=0x3af654, lpLastWriteTime=0x3af654) returned 0 [0024.062] GetFileSize (in: hFile=0x11c, lpFileSizeHigh=0x3af640 | out: lpFileSizeHigh=0x3af640*=0x0) returned 0x20200 [0024.062] SetFilePointer (in: hFile=0x11c, lDistanceToMove=0, lpDistanceToMoveHigh=0x3af64c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x3af64c*=0) returned 0x0 [0024.063] ReadFile (in: hFile=0x11c, lpBuffer=0x8a1a58, nNumberOfBytesToRead=0x20200, lpNumberOfBytesRead=0x3af680, lpOverlapped=0x0 | out: lpBuffer=0x8a1a58*, lpNumberOfBytesRead=0x3af680*=0x20200, lpOverlapped=0x0) returned 1 [0024.066] GetFileAttributesExW (in: lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1:bin" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\mov7tw~1:bin"), fInfoLevelId=0x0, lpFileInformation=0x3af610 | out: lpFileInformation=0x3af610*(dwFileAttributes=0x3af940, ftCreationTime.dwLowDateTime=0x1016d29, ftCreationTime.dwHighDateTime=0xba0000, ftLastAccessTime.dwLowDateTime=0x8, ftLastAccessTime.dwHighDateTime=0x1018e92, ftLastWriteTime.dwLowDateTime=0x3afa58, ftLastWriteTime.dwHighDateTime=0x3af940, nFileSizeHigh=0x2, nFileSizeLow=0x3af918)) returned 0 [0024.066] GetLastError () returned 0x2 [0024.066] CreateFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1:bin" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\mov7tw~1:bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0x11c [0024.066] SetFileTime (hFile=0x11c, lpCreationTime=0x0, lpLastAccessTime=0x3af654, lpLastWriteTime=0x3af654) returned 1 [0024.066] WriteFile (in: hFile=0x11c, lpBuffer=0x8a1a58*, nNumberOfBytesToWrite=0x20200, lpNumberOfBytesWritten=0x3af680, lpOverlapped=0x0 | out: lpBuffer=0x8a1a58*, lpNumberOfBytesWritten=0x3af680*=0x20200, lpOverlapped=0x0) returned 1 [0024.068] NtClose (Handle=0x11c) returned 0x0 [0024.070] CreateProcessW (in: lpApplicationName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1:bin", lpCommandLine="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1:bin C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x3af8ec*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3af930 | out: lpCommandLine="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1:bin C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE", lpProcessInformation=0x3af930*(hProcess=0x118, hThread=0x11c, dwProcessId=0x954, dwThreadId=0x958)) returned 1 [0024.083] NtClose (Handle=0x11c) returned 0x0 [0024.083] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0024.083] ExitProcess (uExitCode=0x0) Thread: id = 2 os_tid = 0x950 Process: id = "2" image_name = "mov7tw~1:bin" filename = "c:\\users\\5p5nrg~1\\appdata\\roaming\\mov7tw~1:bin" page_root = "0x4ec33000" os_pid = "0x954" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x93c" cmd_line = "C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1:bin C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e814" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 210 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 211 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 212 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 213 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 214 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 215 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 216 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 217 start_va = 0xdf0000 end_va = 0xe12fff entry_point = 0xdf0000 region_type = mapped_file name = "mov7tw~1" filename = "\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\mov7tw~1") Region: id = 218 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 219 start_va = 0x77a40000 end_va = 0x77bbffff entry_point = 0x77a40000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 220 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 221 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 222 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 223 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 224 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 225 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 226 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 227 start_va = 0x300000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 228 start_va = 0x74f80000 end_va = 0x74f87fff entry_point = 0x74f80000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 229 start_va = 0x74f90000 end_va = 0x74febfff entry_point = 0x74f90000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 230 start_va = 0x74ff0000 end_va = 0x7502efff entry_point = 0x74ff0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 231 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 232 start_va = 0x70000 end_va = 0xd6fff entry_point = 0x70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 233 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 234 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 235 start_va = 0x751b0000 end_va = 0x7533ffff entry_point = 0x751b0000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 236 start_va = 0x75340000 end_va = 0x753c3fff entry_point = 0x75340000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 237 start_va = 0x753d0000 end_va = 0x75401fff entry_point = 0x753d0000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 238 start_va = 0x75410000 end_va = 0x7542bfff entry_point = 0x75410000 region_type = mapped_file name = "oledlg.dll" filename = "\\Windows\\SysWOW64\\oledlg.dll" (normalized: "c:\\windows\\syswow64\\oledlg.dll") Region: id = 239 start_va = 0x75430000 end_va = 0x75480fff entry_point = 0x75430000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\SysWOW64\\winspool.drv" (normalized: "c:\\windows\\syswow64\\winspool.drv") Region: id = 240 start_va = 0x75590000 end_va = 0x7559bfff entry_point = 0x75590000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 241 start_va = 0x755a0000 end_va = 0x755fffff entry_point = 0x755a0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 242 start_va = 0x75660000 end_va = 0x7570bfff entry_point = 0x75660000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 243 start_va = 0x75710000 end_va = 0x75719fff entry_point = 0x75710000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 244 start_va = 0x75a60000 end_va = 0x75a78fff entry_point = 0x75a60000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 245 start_va = 0x75a80000 end_va = 0x75b0ffff entry_point = 0x75a80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 246 start_va = 0x75b10000 end_va = 0x75bfffff entry_point = 0x75b10000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 247 start_va = 0x75cc0000 end_va = 0x76909fff entry_point = 0x75cc0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 248 start_va = 0x76e30000 end_va = 0x76f8bfff entry_point = 0x76e30000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 249 start_va = 0x76f90000 end_va = 0x7702ffff entry_point = 0x76f90000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 250 start_va = 0x771d0000 end_va = 0x772cffff entry_point = 0x771d0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 251 start_va = 0x77350000 end_va = 0x773a6fff entry_point = 0x77350000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 252 start_va = 0x773b0000 end_va = 0x774bffff entry_point = 0x773b0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 253 start_va = 0x77550000 end_va = 0x775ecfff entry_point = 0x77550000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 254 start_va = 0x775f0000 end_va = 0x77635fff entry_point = 0x775f0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 255 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x0 region_type = private name = "private_0x0000000077640000" filename = "" Region: id = 256 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x0 region_type = private name = "private_0x0000000077740000" filename = "" Region: id = 257 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 258 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 259 start_va = 0x4d0000 end_va = 0x657fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 260 start_va = 0x76b30000 end_va = 0x76bfbfff entry_point = 0x76b30000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 261 start_va = 0x76c00000 end_va = 0x76c5ffff entry_point = 0x76c00000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 262 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 263 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 264 start_va = 0xe0000 end_va = 0xfbfff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 265 start_va = 0x660000 end_va = 0x7e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 266 start_va = 0x950000 end_va = 0x95ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 267 start_va = 0x9a0000 end_va = 0x9affff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 268 start_va = 0xe20000 end_va = 0x221ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 269 start_va = 0x110000 end_va = 0x121fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 270 start_va = 0x7f0000 end_va = 0x8cffff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 271 start_va = 0x9b0000 end_va = 0xb7ffff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 272 start_va = 0x9b0000 end_va = 0xaaffff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 273 start_va = 0xb70000 end_va = 0xb7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 274 start_va = 0x880000 end_va = 0x8bffff entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 275 start_va = 0x8c0000 end_va = 0x8cffff entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 276 start_va = 0xcc0000 end_va = 0xdbffff entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 277 start_va = 0x75170000 end_va = 0x75185fff entry_point = 0x75170000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 278 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 279 start_va = 0x170000 end_va = 0x1abfff entry_point = 0x170000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 280 start_va = 0x170000 end_va = 0x1abfff entry_point = 0x170000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 281 start_va = 0x170000 end_va = 0x1abfff entry_point = 0x170000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 282 start_va = 0x170000 end_va = 0x1abfff entry_point = 0x170000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 283 start_va = 0x170000 end_va = 0x1abfff entry_point = 0x170000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 284 start_va = 0x75130000 end_va = 0x7516afff entry_point = 0x75130000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 285 start_va = 0x2220000 end_va = 0x24eefff entry_point = 0x2220000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 286 start_va = 0x75720000 end_va = 0x7583cfff entry_point = 0x75720000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 287 start_va = 0x75c60000 end_va = 0x75c6bfff entry_point = 0x75c60000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 288 start_va = 0x75100000 end_va = 0x75120fff entry_point = 0x75100000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 289 start_va = 0x75c70000 end_va = 0x75cb4fff entry_point = 0x75c70000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 290 start_va = 0x170000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 291 start_va = 0x180000 end_va = 0x186fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 292 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 293 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 294 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 295 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 296 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 297 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 298 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 299 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 300 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 301 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 302 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 303 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 304 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 305 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 306 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 307 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 308 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 309 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 310 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 311 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 312 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 313 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 314 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 315 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 316 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 317 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 318 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 319 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 320 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 321 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 322 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 323 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 324 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 325 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 326 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 327 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 328 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 329 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 330 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 331 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 332 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 333 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 334 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 335 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 336 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 337 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 338 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 339 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 340 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 341 start_va = 0x170000 end_va = 0x176fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 342 start_va = 0x77a10000 end_va = 0x77a14fff entry_point = 0x77a10000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 359 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 360 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Thread: id = 3 os_tid = 0x958 [0024.411] GetCurrentProcess () returned 0xffffffff [0024.411] GetTickCount () returned 0x165a4 [0024.411] GetCurrentThreadId () returned 0x958 [0024.411] GetCurrentThreadId () returned 0x958 [0024.411] GetCurrentProcess () returned 0xffffffff [0024.411] GetVersion () returned 0x1db10106 [0024.411] GetVersion () returned 0x1db10106 [0024.411] GetCurrentProcess () returned 0xffffffff [0024.411] GetCurrentProcess () returned 0xffffffff [0024.411] GetTickCount () returned 0x165a4 [0024.411] GetTickCount () returned 0x165a4 [0024.411] GetTickCount () returned 0x165a4 [0024.411] GetVersion () returned 0x1db10106 [0024.411] GetTickCount () returned 0x165a4 [0024.411] GetCurrentThreadId () returned 0x958 [0024.411] GetVersion () returned 0x1db10106 [0024.411] GetTickCount () returned 0x165a4 [0024.411] GetCurrentThreadId () returned 0x958 [0024.411] GetCurrentThreadId () returned 0x958 [0024.411] GetCurrentThreadId () returned 0x958 [0024.411] GetVersion () returned 0x1db10106 [0024.411] GetTickCount () returned 0x165a4 [0024.411] GetCurrentThreadId () returned 0x958 [0024.411] GetTickCount () returned 0x165a4 [0024.411] GetCurrentThreadId () returned 0x958 [0024.411] GetCurrentThreadId () returned 0x958 [0024.411] GetVersion () returned 0x1db10106 [0024.411] GetTickCount () returned 0x165a4 [0024.411] GetTickCount () returned 0x165a4 [0024.411] GetCurrentThreadId () returned 0x958 [0024.411] VirtualAlloc (lpAddress=0x0, dwSize=0x1c000, flAllocationType=0x1000, flProtect=0x40) returned 0xe0000 [0024.611] VirtualAlloc (lpAddress=0x0, dwSize=0x11a00, flAllocationType=0x1000, flProtect=0x4) returned 0x110000 [0027.109] VirtualProtect (in: lpAddress=0xdf0000, dwSize=0x1c000, flNewProtect=0x40, lpflOldProtect=0xfa0b8 | out: lpflOldProtect=0xfa0b8*=0x2) returned 1 [0027.110] VirtualProtect (in: lpAddress=0xdf0000, dwSize=0x400, flNewProtect=0x2, lpflOldProtect=0xfa0b8 | out: lpflOldProtect=0xfa0b8*=0x40) returned 1 [0027.110] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x773b0000 [0027.111] GetProcAddress (hModule=0x773b0000, lpProcName="OutputDebugStringA") returned 0x773eb2b7 [0027.111] GetProcAddress (hModule=0x773b0000, lpProcName="HeapValidate") returned 0x773db17b [0027.121] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x2aee7c, nSize=0x1000 | out: lpFilename="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1:bin" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\mov7tw~1:bin")) returned 0x2e [0027.121] GetVersionExW (in: lpVersionInformation=0x2af51c*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x2af51c*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0027.121] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af508 | out: Wow64Process=0x2af508) returned 1 [0027.121] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x2af4e4 | out: TokenHandle=0x2af4e4*=0xbc) returned 1 [0027.121] GetTokenInformation (in: TokenHandle=0xbc, TokenInformationClass=0x2, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af4e0 | out: TokenInformation=0x0, ReturnLength=0x2af4e0) returned 0 [0027.121] GetLastError () returned 0x7a [0027.122] GetTokenInformation (in: TokenHandle=0xbc, TokenInformationClass=0x2, TokenInformation=0xb70f98, TokenInformationLength=0x118, ReturnLength=0x2af4e0 | out: TokenInformation=0xb70f98, ReturnLength=0x2af4e0) returned 1 [0027.122] AllocateAndInitializeSid (in: pIdentifierAuthority=0x2af4f0, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x2af4e8 | out: pSid=0x2af4e8*=0x3e18c8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0027.122] EqualSid (pSid1=0x3e18c8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xb70ffc*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25))) returned 0 [0027.122] EqualSid (pSid1=0x3e18c8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xb71018*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0 [0027.122] EqualSid (pSid1=0x3e18c8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xb71024*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0027.122] NtClose (Handle=0xbc) returned 0x0 [0027.122] RtlQueryElevationFlags () returned 0x0 [0027.123] SHRegDuplicateHKey (hkey=0x80000002) returned 0x80000002 [0027.123] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x0, lpName=0xb7b8d0, cchName=0x104 | out: lpName="BCD00000000") returned 0x0 [0027.123] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bcd00000000", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.123] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bcd00000000", cchWideChar=11, lpMultiByteStr=0xb7bbe0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bcd00000000", lpUsedDefaultChar=0x0) returned 11 [0027.123] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x1, lpName=0xb7b8d0, cchName=0x104 | out: lpName="HARDWARE") returned 0x0 [0027.123] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hardware", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.123] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hardware", cchWideChar=8, lpMultiByteStr=0xb7bc40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hardware", lpUsedDefaultChar=0x0) returned 8 [0027.123] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x2, lpName=0xb7b8d0, cchName=0x104 | out: lpName="SAM") returned 0x0 [0027.123] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sam", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.124] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sam", cchWideChar=3, lpMultiByteStr=0xb7bc88, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sam", lpUsedDefaultChar=0x0) returned 3 [0027.124] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x3, lpName=0xb7b8d0, cchName=0x104 | out: lpName="SECURITY") returned 0x0 [0027.124] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.124] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security", cchWideChar=8, lpMultiByteStr=0xb7bc40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="security", lpUsedDefaultChar=0x0) returned 8 [0027.124] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x4, lpName=0xb7b8d0, cchName=0x104 | out: lpName="SOFTWARE") returned 0x0 [0027.124] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.124] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0xb7bc88, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="software", lpUsedDefaultChar=0x0) returned 8 [0027.124] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE", ulOptions=0x0, samDesired=0x20109, phkResult=0x2af464 | out: phkResult=0x2af464*=0xbc) returned 0x0 [0027.124] RegCloseKey (hKey=0x80000002) returned 0x0 [0027.124] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x0, lpName=0xb7b8d0, cchName=0x104 | out: lpName="ATI Technologies") returned 0x0 [0027.124] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ati technologies", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.124] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ati technologies", cchWideChar=16, lpMultiByteStr=0xb7c0c0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ati technologies", lpUsedDefaultChar=0x0) returned 16 [0027.125] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x1, lpName=0xb7b8d0, cchName=0x104 | out: lpName="CBSTEST") returned 0x0 [0027.125] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cbstest", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.125] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cbstest", cchWideChar=7, lpMultiByteStr=0xb7c108, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cbstest", lpUsedDefaultChar=0x0) returned 7 [0027.125] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x2, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Classes") returned 0x0 [0027.125] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="classes", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.125] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="classes", cchWideChar=7, lpMultiByteStr=0xb7c0c0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="classes", lpUsedDefaultChar=0x0) returned 7 [0027.125] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x3, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Clients") returned 0x0 [0027.125] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clients", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.125] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clients", cchWideChar=7, lpMultiByteStr=0xb7c108, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clients", lpUsedDefaultChar=0x0) returned 7 [0027.125] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x4, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Intel") returned 0x0 [0027.125] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="intel", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0027.125] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="intel", cchWideChar=5, lpMultiByteStr=0xb7c0c0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="intel", lpUsedDefaultChar=0x0) returned 5 [0027.125] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x5, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Macromedia") returned 0x0 [0027.125] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="macromedia", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.125] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="macromedia", cchWideChar=10, lpMultiByteStr=0xb7c108, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="macromedia", lpUsedDefaultChar=0x0) returned 10 [0027.126] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x6, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Microsoft") returned 0x0 [0027.126] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.126] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft", cchWideChar=9, lpMultiByteStr=0xb7c0c0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft", lpUsedDefaultChar=0x0) returned 9 [0027.126] RegOpenKeyExW (in: hKey=0xbc, lpSubKey="Microsoft", ulOptions=0x0, samDesired=0x20109, phkResult=0x2af464 | out: phkResult=0x2af464*=0x3c) returned 0x0 [0027.126] RegCloseKey (hKey=0xbc) returned 0x0 [0027.126] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x0, lpName=0xb7b8d0, cchName=0x104 | out: lpName=".NETFramework") returned 0x0 [0027.126] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".netframework", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0027.126] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".netframework", cchWideChar=13, lpMultiByteStr=0xb7c108, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".netframework", lpUsedDefaultChar=0x0) returned 13 [0027.126] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Active Setup") returned 0x0 [0027.126] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="active setup", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.126] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="active setup", cchWideChar=12, lpMultiByteStr=0xb7c0c0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="active setup", lpUsedDefaultChar=0x0) returned 12 [0027.126] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2, lpName=0xb7b8d0, cchName=0x104 | out: lpName="ADs") returned 0x0 [0027.126] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ads", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.126] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ads", cchWideChar=3, lpMultiByteStr=0xb7c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ads", lpUsedDefaultChar=0x0) returned 3 [0027.126] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Advanced INF Setup") returned 0x0 [0027.127] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="advanced inf setup", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0027.127] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="advanced inf setup", cchWideChar=18, lpMultiByteStr=0xb7c0c0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="advanced inf setup", lpUsedDefaultChar=0x0) returned 18 [0027.127] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4, lpName=0xb7b8d0, cchName=0x104 | out: lpName="ALG") returned 0x0 [0027.127] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.127] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg", cchWideChar=3, lpMultiByteStr=0xb7c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="alg", lpUsedDefaultChar=0x0) returned 3 [0027.127] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5, lpName=0xb7b8d0, cchName=0x104 | out: lpName="ASP.NET") returned 0x0 [0027.127] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="asp.net", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.127] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="asp.net", cchWideChar=7, lpMultiByteStr=0xb7c0c0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="asp.net", lpUsedDefaultChar=0x0) returned 7 [0027.127] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Assistance") returned 0x0 [0027.127] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="assistance", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.127] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="assistance", cchWideChar=10, lpMultiByteStr=0xb7c108, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="assistance", lpUsedDefaultChar=0x0) returned 10 [0027.127] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7, lpName=0xb7b8d0, cchName=0x104 | out: lpName="BidInterface") returned 0x0 [0027.127] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bidinterface", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.127] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bidinterface", cchWideChar=12, lpMultiByteStr=0xb7c0c0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bidinterface", lpUsedDefaultChar=0x0) returned 12 [0027.127] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x8, lpName=0xb7b8d0, cchName=0x104 | out: lpName="COM3") returned 0x0 [0027.127] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="com3", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0027.128] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="com3", cchWideChar=4, lpMultiByteStr=0xb7c108, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="com3", lpUsedDefaultChar=0x0) returned 4 [0027.128] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x9, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Command Processor") returned 0x0 [0027.128] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="command processor", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0027.128] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="command processor", cchWideChar=17, lpMultiByteStr=0xb7c0c0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="command processor", lpUsedDefaultChar=0x0) returned 17 [0027.128] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xa, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Connect to a Network Projector") returned 0x0 [0027.128] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connect to a network projector", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0027.128] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connect to a network projector", cchWideChar=30, lpMultiByteStr=0xb7c108, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="connect to a network projector", lpUsedDefaultChar=0x0) returned 30 [0027.128] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xb, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Cryptography") returned 0x0 [0027.128] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cryptography", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.128] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cryptography", cchWideChar=12, lpMultiByteStr=0xb7c0c0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cryptography", lpUsedDefaultChar=0x0) returned 12 [0027.128] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xc, lpName=0xb7b8d0, cchName=0x104 | out: lpName="CTF") returned 0x0 [0027.128] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ctf", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.128] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ctf", cchWideChar=3, lpMultiByteStr=0xb7c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ctf", lpUsedDefaultChar=0x0) returned 3 [0027.128] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xd, lpName=0xb7b8d0, cchName=0x104 | out: lpName="DataAccess") returned 0x0 [0027.128] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dataaccess", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.129] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dataaccess", cchWideChar=10, lpMultiByteStr=0xb7c0c0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dataaccess", lpUsedDefaultChar=0x0) returned 10 [0027.129] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xe, lpName=0xb7b8d0, cchName=0x104 | out: lpName="DataFactory") returned 0x0 [0027.129] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="datafactory", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.129] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="datafactory", cchWideChar=11, lpMultiByteStr=0xb7c108, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="datafactory", lpUsedDefaultChar=0x0) returned 11 [0027.129] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xf, lpName=0xb7b8d0, cchName=0x104 | out: lpName="DevDiv") returned 0x0 [0027.129] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="devdiv", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0027.129] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="devdiv", cchWideChar=6, lpMultiByteStr=0xb7c0c0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="devdiv", lpUsedDefaultChar=0x0) returned 6 [0027.129] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x10, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Dfrg") returned 0x0 [0027.129] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfrg", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0027.129] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfrg", cchWideChar=4, lpMultiByteStr=0xb7c108, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dfrg", lpUsedDefaultChar=0x0) returned 4 [0027.129] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x11, lpName=0xb7b8d0, cchName=0x104 | out: lpName="DFS") returned 0x0 [0027.129] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfs", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.129] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfs", cchWideChar=3, lpMultiByteStr=0xb7c0c0, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dfs", lpUsedDefaultChar=0x0) returned 3 [0027.129] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x12, lpName=0xb7b8d0, cchName=0x104 | out: lpName="DirectDraw") returned 0x0 [0027.129] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directdraw", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.130] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directdraw", cchWideChar=10, lpMultiByteStr=0xb7c108, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directdraw", lpUsedDefaultChar=0x0) returned 10 [0027.130] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x13, lpName=0xb7b8d0, cchName=0x104 | out: lpName="DirectInput") returned 0x0 [0027.130] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directinput", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.130] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directinput", cchWideChar=11, lpMultiByteStr=0xb7c0c0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directinput", lpUsedDefaultChar=0x0) returned 11 [0027.130] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x14, lpName=0xb7b8d0, cchName=0x104 | out: lpName="DirectMusic") returned 0x0 [0027.130] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directmusic", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.130] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directmusic", cchWideChar=11, lpMultiByteStr=0xb7c108, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directmusic", lpUsedDefaultChar=0x0) returned 11 [0027.130] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x15, lpName=0xb7b8d0, cchName=0x104 | out: lpName="DirectPlay8") returned 0x0 [0027.130] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directplay8", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.130] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directplay8", cchWideChar=11, lpMultiByteStr=0xb7c0c0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directplay8", lpUsedDefaultChar=0x0) returned 11 [0027.130] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x16, lpName=0xb7b8d0, cchName=0x104 | out: lpName="DirectPlayNATHelp") returned 0x0 [0027.130] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directplaynathelp", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0027.130] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directplaynathelp", cchWideChar=17, lpMultiByteStr=0xb7c108, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directplaynathelp", lpUsedDefaultChar=0x0) returned 17 [0027.130] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x17, lpName=0xb7b8d0, cchName=0x104 | out: lpName="DirectShow") returned 0x0 [0027.130] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directshow", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.130] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directshow", cchWideChar=10, lpMultiByteStr=0xb7c0c0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directshow", lpUsedDefaultChar=0x0) returned 10 [0027.131] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x18, lpName=0xb7b8d0, cchName=0x104 | out: lpName="DirectX") returned 0x0 [0027.131] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directx", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.131] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directx", cchWideChar=7, lpMultiByteStr=0xb7c108, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directx", lpUsedDefaultChar=0x0) returned 7 [0027.131] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x19, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Driver Signing") returned 0x0 [0027.131] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="driver signing", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.131] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="driver signing", cchWideChar=14, lpMultiByteStr=0xb7c0c0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="driver signing", lpUsedDefaultChar=0x0) returned 14 [0027.131] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1a, lpName=0xb7b8d0, cchName=0x104 | out: lpName="DRM") returned 0x0 [0027.131] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="drm", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.131] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="drm", cchWideChar=3, lpMultiByteStr=0xb7c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="drm", lpUsedDefaultChar=0x0) returned 3 [0027.131] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1b, lpName=0xb7b8d0, cchName=0x104 | out: lpName="DVR") returned 0x0 [0027.131] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dvr", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.131] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dvr", cchWideChar=3, lpMultiByteStr=0xb7c0c0, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dvr", lpUsedDefaultChar=0x0) returned 3 [0027.131] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1c, lpName=0xb7b8d0, cchName=0x104 | out: lpName="DXP") returned 0x0 [0027.131] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dxp", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.131] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dxp", cchWideChar=3, lpMultiByteStr=0xb7c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dxp", lpUsedDefaultChar=0x0) returned 3 [0027.132] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1d, lpName=0xb7b8d0, cchName=0x104 | out: lpName="EnterpriseCertificates") returned 0x0 [0027.132] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="enterprisecertificates", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0027.132] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="enterprisecertificates", cchWideChar=22, lpMultiByteStr=0xb7c0c0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="enterprisecertificates", lpUsedDefaultChar=0x0) returned 22 [0027.132] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1e, lpName=0xb7b8d0, cchName=0x104 | out: lpName="EventSystem") returned 0x0 [0027.132] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventsystem", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.132] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventsystem", cchWideChar=11, lpMultiByteStr=0xb7c108, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eventsystem", lpUsedDefaultChar=0x0) returned 11 [0027.132] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1f, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Exchange") returned 0x0 [0027.132] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="exchange", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.132] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="exchange", cchWideChar=8, lpMultiByteStr=0xb7c0c0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="exchange", lpUsedDefaultChar=0x0) returned 8 [0027.132] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x20, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Fax") returned 0x0 [0027.132] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fax", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.132] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fax", cchWideChar=3, lpMultiByteStr=0xb7c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fax", lpUsedDefaultChar=0x0) returned 3 [0027.132] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x21, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Feeds") returned 0x0 [0027.132] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="feeds", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0027.132] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="feeds", cchWideChar=5, lpMultiByteStr=0xb7c0c0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="feeds", lpUsedDefaultChar=0x0) returned 5 [0027.133] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x22, lpName=0xb7b8d0, cchName=0x104 | out: lpName="FlashConfig") returned 0x0 [0027.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="flashconfig", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="flashconfig", cchWideChar=11, lpMultiByteStr=0xb7c108, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="flashconfig", lpUsedDefaultChar=0x0) returned 11 [0027.133] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x23, lpName=0xb7b8d0, cchName=0x104 | out: lpName="FTH") returned 0x0 [0027.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fth", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fth", cchWideChar=3, lpMultiByteStr=0xb7c0c0, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fth", lpUsedDefaultChar=0x0) returned 3 [0027.133] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x24, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Function Discovery") returned 0x0 [0027.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="function discovery", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0027.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="function discovery", cchWideChar=18, lpMultiByteStr=0xb7c108, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="function discovery", lpUsedDefaultChar=0x0) returned 18 [0027.133] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x25, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Fusion") returned 0x0 [0027.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fusion", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0027.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fusion", cchWideChar=6, lpMultiByteStr=0xb7c0c0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fusion", lpUsedDefaultChar=0x0) returned 6 [0027.133] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x26, lpName=0xb7b8d0, cchName=0x104 | out: lpName="GPUPipeline") returned 0x0 [0027.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gpupipeline", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gpupipeline", cchWideChar=11, lpMultiByteStr=0xb7c108, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gpupipeline", lpUsedDefaultChar=0x0) returned 11 [0027.134] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x27, lpName=0xb7b8d0, cchName=0x104 | out: lpName="HTMLHelp") returned 0x0 [0027.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="htmlhelp", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="htmlhelp", cchWideChar=8, lpMultiByteStr=0xb7c0c0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="htmlhelp", lpUsedDefaultChar=0x0) returned 8 [0027.134] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x28, lpName=0xb7b8d0, cchName=0x104 | out: lpName="IdentityCRL") returned 0x0 [0027.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identitycrl", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identitycrl", cchWideChar=11, lpMultiByteStr=0xb7c108, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="identitycrl", lpUsedDefaultChar=0x0) returned 11 [0027.134] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x29, lpName=0xb7b8d0, cchName=0x104 | out: lpName="IdentityStore") returned 0x0 [0027.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identitystore", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0027.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identitystore", cchWideChar=13, lpMultiByteStr=0xb7c0c0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="identitystore", lpUsedDefaultChar=0x0) returned 13 [0027.134] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2a, lpName=0xb7b8d0, cchName=0x104 | out: lpName="IMAPI") returned 0x0 [0027.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imapi", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0027.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imapi", cchWideChar=5, lpMultiByteStr=0xb7c108, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imapi", lpUsedDefaultChar=0x0) returned 5 [0027.134] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2b, lpName=0xb7b8d0, cchName=0x104 | out: lpName="IMEJP") returned 0x0 [0027.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imejp", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0027.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imejp", cchWideChar=5, lpMultiByteStr=0xb7c0c0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imejp", lpUsedDefaultChar=0x0) returned 5 [0027.135] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2c, lpName=0xb7b8d0, cchName=0x104 | out: lpName="IMEKR") returned 0x0 [0027.135] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imekr", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0027.135] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imekr", cchWideChar=5, lpMultiByteStr=0xb7c108, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imekr", lpUsedDefaultChar=0x0) returned 5 [0027.135] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2d, lpName=0xb7b8d0, cchName=0x104 | out: lpName="IMETC") returned 0x0 [0027.135] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imetc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0027.135] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imetc", cchWideChar=5, lpMultiByteStr=0xb7c0c0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imetc", lpUsedDefaultChar=0x0) returned 5 [0027.135] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2e, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Internet Account Manager") returned 0x0 [0027.135] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet account manager", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0027.135] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet account manager", cchWideChar=24, lpMultiByteStr=0xb7c108, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet account manager", lpUsedDefaultChar=0x0) returned 24 [0027.135] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2f, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Internet Domains") returned 0x0 [0027.135] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet domains", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.135] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet domains", cchWideChar=16, lpMultiByteStr=0xb7c0c0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet domains", lpUsedDefaultChar=0x0) returned 16 [0027.135] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x30, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Internet Explorer") returned 0x0 [0027.135] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet explorer", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0027.135] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet explorer", cchWideChar=17, lpMultiByteStr=0xb7c108, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet explorer", lpUsedDefaultChar=0x0) returned 17 [0027.136] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x31, lpName=0xb7b8d0, cchName=0x104 | out: lpName="IsoBurn") returned 0x0 [0027.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="isoburn", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="isoburn", cchWideChar=7, lpMultiByteStr=0xb7c0c0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isoburn", lpUsedDefaultChar=0x0) returned 7 [0027.136] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x32, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Loki") returned 0x0 [0027.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="loki", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0027.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="loki", cchWideChar=4, lpMultiByteStr=0xb7c108, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="loki", lpUsedDefaultChar=0x0) returned 4 [0027.136] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x33, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MediaCenterPeripheral") returned 0x0 [0027.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mediacenterperipheral", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0027.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mediacenterperipheral", cchWideChar=21, lpMultiByteStr=0xb7c0c0, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mediacenterperipheral", lpUsedDefaultChar=0x0) returned 21 [0027.136] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x34, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MediaPlayer") returned 0x0 [0027.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mediaplayer", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mediaplayer", cchWideChar=11, lpMultiByteStr=0xb7c108, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mediaplayer", lpUsedDefaultChar=0x0) returned 11 [0027.137] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x35, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MessengerService") returned 0x0 [0027.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="messengerservice", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="messengerservice", cchWideChar=16, lpMultiByteStr=0xb7c0c0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messengerservice", lpUsedDefaultChar=0x0) returned 16 [0027.137] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x36, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Microsoft Reference") returned 0x0 [0027.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft reference", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0027.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft reference", cchWideChar=19, lpMultiByteStr=0xb7c108, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft reference", lpUsedDefaultChar=0x0) returned 19 [0027.137] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x37, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Microsoft SQL Server Compact Edition") returned 0x0 [0027.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft sql server compact edition", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0027.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft sql server compact edition", cchWideChar=36, lpMultiByteStr=0xb7c0c0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft sql server compact edition", lpUsedDefaultChar=0x0) returned 36 [0027.137] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x38, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MigWiz") returned 0x0 [0027.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="migwiz", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0027.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="migwiz", cchWideChar=6, lpMultiByteStr=0xb7c108, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="migwiz", lpUsedDefaultChar=0x0) returned 6 [0027.137] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x39, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MMC") returned 0x0 [0027.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmc", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmc", cchWideChar=3, lpMultiByteStr=0xb7c0c0, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mmc", lpUsedDefaultChar=0x0) returned 3 [0027.137] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3a, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Mobile") returned 0x0 [0027.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mobile", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0027.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mobile", cchWideChar=6, lpMultiByteStr=0xb7c108, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mobile", lpUsedDefaultChar=0x0) returned 6 [0027.137] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3b, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MSBuild") returned 0x0 [0027.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msbuild", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msbuild", cchWideChar=7, lpMultiByteStr=0xb7c0c0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msbuild", lpUsedDefaultChar=0x0) returned 7 [0027.137] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3c, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MSDE") returned 0x0 [0027.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msde", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0027.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msde", cchWideChar=4, lpMultiByteStr=0xb7c108, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msde", lpUsedDefaultChar=0x0) returned 4 [0027.137] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3d, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MSDTC") returned 0x0 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc", cchWideChar=5, lpMultiByteStr=0xb7c0c0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdtc", lpUsedDefaultChar=0x0) returned 5 [0027.138] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3e, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MSF") returned 0x0 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msf", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msf", cchWideChar=3, lpMultiByteStr=0xb7c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msf", lpUsedDefaultChar=0x0) returned 3 [0027.138] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3f, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MSLicensing") returned 0x0 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mslicensing", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mslicensing", cchWideChar=11, lpMultiByteStr=0xb7c0c0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mslicensing", lpUsedDefaultChar=0x0) returned 11 [0027.138] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x40, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MSMQ") returned 0x0 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msmq", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msmq", cchWideChar=4, lpMultiByteStr=0xb7c108, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msmq", lpUsedDefaultChar=0x0) returned 4 [0027.138] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x41, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MSN Apps") returned 0x0 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msn apps", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msn apps", cchWideChar=8, lpMultiByteStr=0xb7c0c0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msn apps", lpUsedDefaultChar=0x0) returned 8 [0027.138] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x42, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MSOSOAP") returned 0x0 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msosoap", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msosoap", cchWideChar=7, lpMultiByteStr=0xb7c108, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msosoap", lpUsedDefaultChar=0x0) returned 7 [0027.138] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x43, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MSSearch36") returned 0x0 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssearch36", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssearch36", cchWideChar=10, lpMultiByteStr=0xb7c0c0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mssearch36", lpUsedDefaultChar=0x0) returned 10 [0027.138] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x44, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MSSQLServer") returned 0x0 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssqlserver", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssqlserver", cchWideChar=11, lpMultiByteStr=0xb7c108, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mssqlserver", lpUsedDefaultChar=0x0) returned 11 [0027.138] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x45, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Multimedia") returned 0x0 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="multimedia", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="multimedia", cchWideChar=10, lpMultiByteStr=0xb7c0c0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="multimedia", lpUsedDefaultChar=0x0) returned 10 [0027.138] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x46, lpName=0xb7b8d0, cchName=0x104 | out: lpName="NapServer") returned 0x0 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="napserver", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="napserver", cchWideChar=9, lpMultiByteStr=0xb7c108, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="napserver", lpUsedDefaultChar=0x0) returned 9 [0027.139] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x47, lpName=0xb7b8d0, cchName=0x104 | out: lpName="NET Framework Setup") returned 0x0 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="net framework setup", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="net framework setup", cchWideChar=19, lpMultiByteStr=0xb7c0c0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="net framework setup", lpUsedDefaultChar=0x0) returned 19 [0027.139] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x48, lpName=0xb7b8d0, cchName=0x104 | out: lpName="NetSh") returned 0x0 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netsh", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netsh", cchWideChar=5, lpMultiByteStr=0xb7c108, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netsh", lpUsedDefaultChar=0x0) returned 5 [0027.139] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x49, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Network") returned 0x0 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="network", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="network", cchWideChar=7, lpMultiByteStr=0xb7c0c0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="network", lpUsedDefaultChar=0x0) returned 7 [0027.139] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4a, lpName=0xb7b8d0, cchName=0x104 | out: lpName="NetworkAccessProtection") returned 0x0 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="networkaccessprotection", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="networkaccessprotection", cchWideChar=23, lpMultiByteStr=0xb7c108, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="networkaccessprotection", lpUsedDefaultChar=0x0) returned 23 [0027.139] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4b, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Non-Driver Signing") returned 0x0 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="non-driver signing", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="non-driver signing", cchWideChar=18, lpMultiByteStr=0xb7c0c0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="non-driver signing", lpUsedDefaultChar=0x0) returned 18 [0027.139] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4c, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Notepad") returned 0x0 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="notepad", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="notepad", cchWideChar=7, lpMultiByteStr=0xb7c108, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="notepad", lpUsedDefaultChar=0x0) returned 7 [0027.139] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4d, lpName=0xb7b8d0, cchName=0x104 | out: lpName="ODBC") returned 0x0 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="odbc", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="odbc", cchWideChar=4, lpMultiByteStr=0xb7c0c0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="odbc", lpUsedDefaultChar=0x0) returned 4 [0027.139] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4e, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Office") returned 0x0 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="office", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="office", cchWideChar=6, lpMultiByteStr=0xb7c108, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="office", lpUsedDefaultChar=0x0) returned 6 [0027.139] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4f, lpName=0xb7b8d0, cchName=0x104 | out: lpName="OfficeSoftwareProtectionPlatform") returned 0x0 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="officesoftwareprotectionplatform", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0027.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="officesoftwareprotectionplatform", cchWideChar=32, lpMultiByteStr=0xb7c0c0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="officesoftwareprotectionplatform", lpUsedDefaultChar=0x0) returned 32 [0027.139] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x50, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Ole") returned 0x0 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ole", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ole", cchWideChar=3, lpMultiByteStr=0xb7c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ole", lpUsedDefaultChar=0x0) returned 3 [0027.140] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x51, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Outlook Express") returned 0x0 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="outlook express", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="outlook express", cchWideChar=15, lpMultiByteStr=0xb7c0c0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="outlook express", lpUsedDefaultChar=0x0) returned 15 [0027.140] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x52, lpName=0xb7b8d0, cchName=0x104 | out: lpName="PLA") returned 0x0 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pla", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pla", cchWideChar=3, lpMultiByteStr=0xb7c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pla", lpUsedDefaultChar=0x0) returned 3 [0027.140] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x53, lpName=0xb7b8d0, cchName=0x104 | out: lpName="PowerShell") returned 0x0 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="powershell", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="powershell", cchWideChar=10, lpMultiByteStr=0xb7c0c0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="powershell", lpUsedDefaultChar=0x0) returned 10 [0027.140] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x54, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Print") returned 0x0 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="print", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="print", cchWideChar=5, lpMultiByteStr=0xb7c108, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="print", lpUsedDefaultChar=0x0) returned 5 [0027.140] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x55, lpName=0xb7b8d0, cchName=0x104 | out: lpName="RADAR") returned 0x0 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="radar", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="radar", cchWideChar=5, lpMultiByteStr=0xb7c0c0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="radar", lpUsedDefaultChar=0x0) returned 5 [0027.140] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x56, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Ras") returned 0x0 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ras", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ras", cchWideChar=3, lpMultiByteStr=0xb7c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ras", lpUsedDefaultChar=0x0) returned 3 [0027.140] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x57, lpName=0xb7b8d0, cchName=0x104 | out: lpName="RAS AutoDial") returned 0x0 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ras autodial", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ras autodial", cchWideChar=12, lpMultiByteStr=0xb7c0c0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ras autodial", lpUsedDefaultChar=0x0) returned 12 [0027.140] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x58, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Reliability Analysis") returned 0x0 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="reliability analysis", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="reliability analysis", cchWideChar=20, lpMultiByteStr=0xb7c108, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="reliability analysis", lpUsedDefaultChar=0x0) returned 20 [0027.140] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x59, lpName=0xb7b8d0, cchName=0x104 | out: lpName="RemovalTools") returned 0x0 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="removaltools", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="removaltools", cchWideChar=12, lpMultiByteStr=0xb7c0c0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="removaltools", lpUsedDefaultChar=0x0) returned 12 [0027.140] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5a, lpName=0xb7b8d0, cchName=0x104 | out: lpName="RendezvousApps") returned 0x0 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rendezvousapps", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rendezvousapps", cchWideChar=14, lpMultiByteStr=0xb7c108, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rendezvousapps", lpUsedDefaultChar=0x0) returned 14 [0027.141] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5b, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Router") returned 0x0 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="router", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="router", cchWideChar=6, lpMultiByteStr=0xb7c0c0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="router", lpUsedDefaultChar=0x0) returned 6 [0027.141] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5c, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Rpc") returned 0x0 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpc", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpc", cchWideChar=3, lpMultiByteStr=0xb7c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rpc", lpUsedDefaultChar=0x0) returned 3 [0027.141] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5d, lpName=0xb7b8d0, cchName=0x104 | out: lpName="SchedulingAgent") returned 0x0 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="schedulingagent", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="schedulingagent", cchWideChar=15, lpMultiByteStr=0xb7c0c0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="schedulingagent", lpUsedDefaultChar=0x0) returned 15 [0027.141] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5e, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Schema Library") returned 0x0 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="schema library", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="schema library", cchWideChar=14, lpMultiByteStr=0xb7c108, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="schema library", lpUsedDefaultChar=0x0) returned 14 [0027.141] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5f, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Security Center") returned 0x0 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security center", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security center", cchWideChar=15, lpMultiByteStr=0xb7c0c0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="security center", lpUsedDefaultChar=0x0) returned 15 [0027.141] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x60, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Sensors") returned 0x0 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sensors", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sensors", cchWideChar=7, lpMultiByteStr=0xb7c108, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sensors", lpUsedDefaultChar=0x0) returned 7 [0027.141] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x61, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Shared") returned 0x0 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared", cchWideChar=6, lpMultiByteStr=0xb7c0c0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="shared", lpUsedDefaultChar=0x0) returned 6 [0027.141] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x62, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Shared Tools") returned 0x0 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared tools", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared tools", cchWideChar=12, lpMultiByteStr=0xb7c108, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="shared tools", lpUsedDefaultChar=0x0) returned 12 [0027.141] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x63, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Shared Tools Location") returned 0x0 [0027.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared tools location", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared tools location", cchWideChar=21, lpMultiByteStr=0xb7c0c0, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="shared tools location", lpUsedDefaultChar=0x0) returned 21 [0027.142] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x64, lpName=0xb7b8d0, cchName=0x104 | out: lpName="SideShow") returned 0x0 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sideshow", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sideshow", cchWideChar=8, lpMultiByteStr=0xb7c108, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sideshow", lpUsedDefaultChar=0x0) returned 8 [0027.142] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x65, lpName=0xb7b8d0, cchName=0x104 | out: lpName="SnippingTool") returned 0x0 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="snippingtool", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="snippingtool", cchWideChar=12, lpMultiByteStr=0xb7c0c0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="snippingtool", lpUsedDefaultChar=0x0) returned 12 [0027.142] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x66, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Software") returned 0x0 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0xb7c108, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="software", lpUsedDefaultChar=0x0) returned 8 [0027.142] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x67, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Speech") returned 0x0 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="speech", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="speech", cchWideChar=6, lpMultiByteStr=0xb7c0c0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="speech", lpUsedDefaultChar=0x0) returned 6 [0027.142] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x68, lpName=0xb7b8d0, cchName=0x104 | out: lpName="SQMClient") returned 0x0 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sqmclient", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sqmclient", cchWideChar=9, lpMultiByteStr=0xb7c108, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqmclient", lpUsedDefaultChar=0x0) returned 9 [0027.142] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x69, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Sync Framework") returned 0x0 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sync framework", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sync framework", cchWideChar=14, lpMultiByteStr=0xb7c0c0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sync framework", lpUsedDefaultChar=0x0) returned 14 [0027.142] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6a, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Sysprep") returned 0x0 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sysprep", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sysprep", cchWideChar=7, lpMultiByteStr=0xb7c108, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sysprep", lpUsedDefaultChar=0x0) returned 7 [0027.142] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6b, lpName=0xb7b8d0, cchName=0x104 | out: lpName="SystemCertificates") returned 0x0 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="systemcertificates", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="systemcertificates", cchWideChar=18, lpMultiByteStr=0xb7c0c0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="systemcertificates", lpUsedDefaultChar=0x0) returned 18 [0027.142] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6c, lpName=0xb7b8d0, cchName=0x104 | out: lpName="TableTextService") returned 0x0 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tabletextservice", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tabletextservice", cchWideChar=16, lpMultiByteStr=0xb7c108, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tabletextservice", lpUsedDefaultChar=0x0) returned 16 [0027.142] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6d, lpName=0xb7b8d0, cchName=0x104 | out: lpName="TabletTip") returned 0x0 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tablettip", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tablettip", cchWideChar=9, lpMultiByteStr=0xb7c0c0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tablettip", lpUsedDefaultChar=0x0) returned 9 [0027.143] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6e, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Tcpip") returned 0x0 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tcpip", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tcpip", cchWideChar=5, lpMultiByteStr=0xb7c108, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tcpip", lpUsedDefaultChar=0x0) returned 5 [0027.143] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6f, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Terminal Server Client") returned 0x0 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="terminal server client", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="terminal server client", cchWideChar=22, lpMultiByteStr=0xb7c0c0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="terminal server client", lpUsedDefaultChar=0x0) returned 22 [0027.143] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x70, lpName=0xb7b8d0, cchName=0x104 | out: lpName="TermServLicensing") returned 0x0 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="termservlicensing", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="termservlicensing", cchWideChar=17, lpMultiByteStr=0xb7c108, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="termservlicensing", lpUsedDefaultChar=0x0) returned 17 [0027.143] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x71, lpName=0xb7b8d0, cchName=0x104 | out: lpName="TIP Shared") returned 0x0 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tip shared", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tip shared", cchWideChar=10, lpMultiByteStr=0xb7c0c0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tip shared", lpUsedDefaultChar=0x0) returned 10 [0027.143] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x72, lpName=0xb7b8d0, cchName=0x104 | out: lpName="TPG") returned 0x0 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tpg", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tpg", cchWideChar=3, lpMultiByteStr=0xb7c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tpg", lpUsedDefaultChar=0x0) returned 3 [0027.143] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x73, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Tpm") returned 0x0 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tpm", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tpm", cchWideChar=3, lpMultiByteStr=0xb7c0c0, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tpm", lpUsedDefaultChar=0x0) returned 3 [0027.143] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x74, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Tracing") returned 0x0 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tracing", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tracing", cchWideChar=7, lpMultiByteStr=0xb7c108, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tracing", lpUsedDefaultChar=0x0) returned 7 [0027.143] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x75, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Transaction Server") returned 0x0 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="transaction server", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="transaction server", cchWideChar=18, lpMultiByteStr=0xb7c0c0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="transaction server", lpUsedDefaultChar=0x0) returned 18 [0027.143] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x76, lpName=0xb7b8d0, cchName=0x104 | out: lpName="TV System Services") returned 0x0 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tv system services", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0027.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tv system services", cchWideChar=18, lpMultiByteStr=0xb7c108, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tv system services", lpUsedDefaultChar=0x0) returned 18 [0027.144] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x77, lpName=0xb7b8d0, cchName=0x104 | out: lpName="uDRM") returned 0x0 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="udrm", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="udrm", cchWideChar=4, lpMultiByteStr=0xb7c0c0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="udrm", lpUsedDefaultChar=0x0) returned 4 [0027.144] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x78, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Updates") returned 0x0 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="updates", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="updates", cchWideChar=7, lpMultiByteStr=0xb7c108, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="updates", lpUsedDefaultChar=0x0) returned 7 [0027.144] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x79, lpName=0xb7b8d0, cchName=0x104 | out: lpName="UPnP Device Host") returned 0x0 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="upnp device host", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="upnp device host", cchWideChar=16, lpMultiByteStr=0xb7c0c0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="upnp device host", lpUsedDefaultChar=0x0) returned 16 [0027.144] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7a, lpName=0xb7b8d0, cchName=0x104 | out: lpName="VBA") returned 0x0 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vba", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vba", cchWideChar=3, lpMultiByteStr=0xb7c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vba", lpUsedDefaultChar=0x0) returned 3 [0027.144] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7b, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Virtual Machine") returned 0x0 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="virtual machine", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="virtual machine", cchWideChar=15, lpMultiByteStr=0xb7c0c0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="virtual machine", lpUsedDefaultChar=0x0) returned 15 [0027.144] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7c, lpName=0xb7b8d0, cchName=0x104 | out: lpName="VisualStudio") returned 0x0 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="visualstudio", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="visualstudio", cchWideChar=12, lpMultiByteStr=0xb7c108, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="visualstudio", lpUsedDefaultChar=0x0) returned 12 [0027.144] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7d, lpName=0xb7b8d0, cchName=0x104 | out: lpName="WAB") returned 0x0 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wab", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wab", cchWideChar=3, lpMultiByteStr=0xb7c0c0, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wab", lpUsedDefaultChar=0x0) returned 3 [0027.144] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7e, lpName=0xb7b8d0, cchName=0x104 | out: lpName="WBEM") returned 0x0 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wbem", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wbem", cchWideChar=4, lpMultiByteStr=0xb7c108, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wbem", lpUsedDefaultChar=0x0) returned 4 [0027.144] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7f, lpName=0xb7b8d0, cchName=0x104 | out: lpName="WIMMount") returned 0x0 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wimmount", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wimmount", cchWideChar=8, lpMultiByteStr=0xb7c0c0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wimmount", lpUsedDefaultChar=0x0) returned 8 [0027.144] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x80, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Windows") returned 0x0 [0027.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="windows", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="windows", cchWideChar=7, lpMultiByteStr=0xb7c108, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="windows", lpUsedDefaultChar=0x0) returned 7 [0027.145] RegOpenKeyExW (in: hKey=0x3c, lpSubKey="Windows", ulOptions=0x0, samDesired=0x20109, phkResult=0x2af464 | out: phkResult=0x2af464*=0xbc) returned 0x0 [0027.145] RegCloseKey (hKey=0x3c) returned 0x0 [0027.145] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x0, lpName=0xb7b8d0, cchName=0x104 | out: lpName="CurrentVersion") returned 0x0 [0027.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="currentversion", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="currentversion", cchWideChar=14, lpMultiByteStr=0xb7c0c0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="currentversion", lpUsedDefaultChar=0x0) returned 14 [0027.145] RegOpenKeyExW (in: hKey=0xbc, lpSubKey="CurrentVersion", ulOptions=0x0, samDesired=0x20109, phkResult=0x2af464 | out: phkResult=0x2af464*=0x3c) returned 0x0 [0027.145] RegCloseKey (hKey=0xbc) returned 0x0 [0027.145] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x0, lpName=0xb7b8d0, cchName=0x104 | out: lpName="App Management") returned 0x0 [0027.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="app management", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="app management", cchWideChar=14, lpMultiByteStr=0xb7c108, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="app management", lpUsedDefaultChar=0x0) returned 14 [0027.145] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1, lpName=0xb7b8d0, cchName=0x104 | out: lpName="App Paths") returned 0x0 [0027.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="app paths", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="app paths", cchWideChar=9, lpMultiByteStr=0xb7c0c0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="app paths", lpUsedDefaultChar=0x0) returned 9 [0027.145] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Applets") returned 0x0 [0027.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="applets", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="applets", cchWideChar=7, lpMultiByteStr=0xb7c108, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="applets", lpUsedDefaultChar=0x0) returned 7 [0027.145] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Audio") returned 0x0 [0027.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audio", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0027.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audio", cchWideChar=5, lpMultiByteStr=0xb7c0c0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audio", lpUsedDefaultChar=0x0) returned 5 [0027.145] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Authentication") returned 0x0 [0027.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="authentication", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="authentication", cchWideChar=14, lpMultiByteStr=0xb7c108, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="authentication", lpUsedDefaultChar=0x0) returned 14 [0027.145] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5, lpName=0xb7b8d0, cchName=0x104 | out: lpName="BitLocker") returned 0x0 [0027.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bitlocker", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bitlocker", cchWideChar=9, lpMultiByteStr=0xb7c0c0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bitlocker", lpUsedDefaultChar=0x0) returned 9 [0027.145] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6, lpName=0xb7b8d0, cchName=0x104 | out: lpName="BITS") returned 0x0 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bits", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bits", cchWideChar=4, lpMultiByteStr=0xb7c108, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bits", lpUsedDefaultChar=0x0) returned 4 [0027.146] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Component Based Servicing") returned 0x0 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="component based servicing", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="component based servicing", cchWideChar=25, lpMultiByteStr=0xb7c0c0, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="component based servicing", lpUsedDefaultChar=0x0) returned 25 [0027.146] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x8, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Control Panel") returned 0x0 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="control panel", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="control panel", cchWideChar=13, lpMultiByteStr=0xb7c108, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="control panel", lpUsedDefaultChar=0x0) returned 13 [0027.146] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x9, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Controls Folder") returned 0x0 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="controls folder", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="controls folder", cchWideChar=15, lpMultiByteStr=0xb7c0c0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="controls folder", lpUsedDefaultChar=0x0) returned 15 [0027.146] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xa, lpName=0xb7b8d0, cchName=0x104 | out: lpName="DateTime") returned 0x0 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="datetime", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="datetime", cchWideChar=8, lpMultiByteStr=0xb7c108, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="datetime", lpUsedDefaultChar=0x0) returned 8 [0027.146] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xb, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Device Installer") returned 0x0 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="device installer", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="device installer", cchWideChar=16, lpMultiByteStr=0xb7c0c0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="device installer", lpUsedDefaultChar=0x0) returned 16 [0027.146] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xc, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Device Metadata") returned 0x0 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="device metadata", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="device metadata", cchWideChar=15, lpMultiByteStr=0xb7c108, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="device metadata", lpUsedDefaultChar=0x0) returned 15 [0027.146] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xd, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Diagnostics") returned 0x0 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="diagnostics", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="diagnostics", cchWideChar=11, lpMultiByteStr=0xb7c0c0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="diagnostics", lpUsedDefaultChar=0x0) returned 11 [0027.146] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xe, lpName=0xb7b8d0, cchName=0x104 | out: lpName="DriverSearching") returned 0x0 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="driversearching", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="driversearching", cchWideChar=15, lpMultiByteStr=0xb7c108, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="driversearching", lpUsedDefaultChar=0x0) returned 15 [0027.146] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xf, lpName=0xb7b8d0, cchName=0x104 | out: lpName="EventCollector") returned 0x0 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventcollector", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventcollector", cchWideChar=14, lpMultiByteStr=0xb7c0c0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eventcollector", lpUsedDefaultChar=0x0) returned 14 [0027.147] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x10, lpName=0xb7b8d0, cchName=0x104 | out: lpName="EventForwarding") returned 0x0 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventforwarding", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventforwarding", cchWideChar=15, lpMultiByteStr=0xb7c108, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eventforwarding", lpUsedDefaultChar=0x0) returned 15 [0027.147] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x11, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Explorer") returned 0x0 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer", cchWideChar=8, lpMultiByteStr=0xb7c0c0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer", lpUsedDefaultChar=0x0) returned 8 [0027.147] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x12, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Ext") returned 0x0 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ext", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ext", cchWideChar=3, lpMultiByteStr=0xb7c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ext", lpUsedDefaultChar=0x0) returned 3 [0027.147] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x13, lpName=0xb7b8d0, cchName=0x104 | out: lpName="GameUX") returned 0x0 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gameux", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gameux", cchWideChar=6, lpMultiByteStr=0xb7c0c0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gameux", lpUsedDefaultChar=0x0) returned 6 [0027.147] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x14, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Group Policy") returned 0x0 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="group policy", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="group policy", cchWideChar=12, lpMultiByteStr=0xb7c108, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="group policy", lpUsedDefaultChar=0x0) returned 12 [0027.147] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x15, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Hints") returned 0x0 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hints", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hints", cchWideChar=5, lpMultiByteStr=0xb7c0c0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hints", lpUsedDefaultChar=0x0) returned 5 [0027.147] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x16, lpName=0xb7b8d0, cchName=0x104 | out: lpName="HomeGroup") returned 0x0 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegroup", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegroup", cchWideChar=9, lpMultiByteStr=0xb7c108, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="homegroup", lpUsedDefaultChar=0x0) returned 9 [0027.147] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x17, lpName=0xb7b8d0, cchName=0x104 | out: lpName="HotStart") returned 0x0 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hotstart", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hotstart", cchWideChar=8, lpMultiByteStr=0xb7c0c0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hotstart", lpUsedDefaultChar=0x0) returned 8 [0027.147] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x18, lpName=0xb7b8d0, cchName=0x104 | out: lpName="IME") returned 0x0 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ime", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ime", cchWideChar=3, lpMultiByteStr=0xb7c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ime", lpUsedDefaultChar=0x0) returned 3 [0027.147] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x19, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Installer") returned 0x0 [0027.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="installer", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="installer", cchWideChar=9, lpMultiByteStr=0xb7c0c0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="installer", lpUsedDefaultChar=0x0) returned 9 [0027.148] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1a, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Internet Settings") returned 0x0 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet settings", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet settings", cchWideChar=17, lpMultiByteStr=0xb7c108, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet settings", lpUsedDefaultChar=0x0) returned 17 [0027.148] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1b, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MCT") returned 0x0 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mct", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mct", cchWideChar=3, lpMultiByteStr=0xb7c0c0, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mct", lpUsedDefaultChar=0x0) returned 3 [0027.148] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1c, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Media Center") returned 0x0 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="media center", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="media center", cchWideChar=12, lpMultiByteStr=0xb7c108, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="media center", lpUsedDefaultChar=0x0) returned 12 [0027.148] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1d, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MMDevices") returned 0x0 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmdevices", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmdevices", cchWideChar=9, lpMultiByteStr=0xb7c0c0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mmdevices", lpUsedDefaultChar=0x0) returned 9 [0027.148] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1e, lpName=0xb7b8d0, cchName=0x104 | out: lpName="MSSHA") returned 0x0 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssha", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssha", cchWideChar=5, lpMultiByteStr=0xb7c108, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mssha", lpUsedDefaultChar=0x0) returned 5 [0027.148] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1f, lpName=0xb7b8d0, cchName=0x104 | out: lpName="NetCache") returned 0x0 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netcache", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netcache", cchWideChar=8, lpMultiByteStr=0xb7c0c0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netcache", lpUsedDefaultChar=0x0) returned 8 [0027.148] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x20, lpName=0xb7b8d0, cchName=0x104 | out: lpName="OEMInformation") returned 0x0 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="oeminformation", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="oeminformation", cchWideChar=14, lpMultiByteStr=0xb7c108, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oeminformation", lpUsedDefaultChar=0x0) returned 14 [0027.148] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x21, lpName=0xb7b8d0, cchName=0x104 | out: lpName="OOBE") returned 0x0 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="oobe", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="oobe", cchWideChar=4, lpMultiByteStr=0xb7c0c0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oobe", lpUsedDefaultChar=0x0) returned 4 [0027.148] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x22, lpName=0xb7b8d0, cchName=0x104 | out: lpName="OptimalLayout") returned 0x0 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="optimallayout", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0027.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="optimallayout", cchWideChar=13, lpMultiByteStr=0xb7c108, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="optimallayout", lpUsedDefaultChar=0x0) returned 13 [0027.148] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x23, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Parental Controls") returned 0x0 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="parental controls", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="parental controls", cchWideChar=17, lpMultiByteStr=0xb7c0c0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="parental controls", lpUsedDefaultChar=0x0) returned 17 [0027.149] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x24, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Personalization") returned 0x0 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="personalization", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="personalization", cchWideChar=15, lpMultiByteStr=0xb7c108, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="personalization", lpUsedDefaultChar=0x0) returned 15 [0027.149] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x25, lpName=0xb7b8d0, cchName=0x104 | out: lpName="PhotoPropertyHandler") returned 0x0 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="photopropertyhandler", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="photopropertyhandler", cchWideChar=20, lpMultiByteStr=0xb7c0c0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="photopropertyhandler", lpUsedDefaultChar=0x0) returned 20 [0027.149] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x26, lpName=0xb7b8d0, cchName=0x104 | out: lpName="PnPSysprep") returned 0x0 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pnpsysprep", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pnpsysprep", cchWideChar=10, lpMultiByteStr=0xb7c108, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pnpsysprep", lpUsedDefaultChar=0x0) returned 10 [0027.149] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x27, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Policies") returned 0x0 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="policies", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="policies", cchWideChar=8, lpMultiByteStr=0xb7c0c0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="policies", lpUsedDefaultChar=0x0) returned 8 [0027.149] RegOpenKeyExW (in: hKey=0x3c, lpSubKey="Policies", ulOptions=0x0, samDesired=0x20109, phkResult=0x2af464 | out: phkResult=0x2af464*=0xbc) returned 0x0 [0027.149] RegCloseKey (hKey=0x3c) returned 0x0 [0027.149] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x0, lpName=0xb7b8d0, cchName=0x104 | out: lpName="ActiveDesktop") returned 0x0 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="activedesktop", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="activedesktop", cchWideChar=13, lpMultiByteStr=0xb7c108, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="activedesktop", lpUsedDefaultChar=0x0) returned 13 [0027.149] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x1, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Attachments") returned 0x0 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="attachments", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="attachments", cchWideChar=11, lpMultiByteStr=0xb7c0c0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="attachments", lpUsedDefaultChar=0x0) returned 11 [0027.149] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x2, lpName=0xb7b8d0, cchName=0x104 | out: lpName="Explorer") returned 0x0 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer", cchWideChar=8, lpMultiByteStr=0xb7c108, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer", lpUsedDefaultChar=0x0) returned 8 [0027.149] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x3, lpName=0xb7b8d0, cchName=0x104 | out: lpName="NonEnum") returned 0x0 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nonenum", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nonenum", cchWideChar=7, lpMultiByteStr=0xb7c0c0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nonenum", lpUsedDefaultChar=0x0) returned 7 [0027.150] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x4, lpName=0xb7b8d0, cchName=0x104 | out: lpName="System") returned 0x0 [0027.150] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="system", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0027.150] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="system", cchWideChar=6, lpMultiByteStr=0xb7c108, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="system", lpUsedDefaultChar=0x0) returned 6 [0027.150] RegOpenKeyExW (in: hKey=0xbc, lpSubKey="System", ulOptions=0x0, samDesired=0x20109, phkResult=0x2af464 | out: phkResult=0x2af464*=0x3c) returned 0x0 [0027.150] RegCloseKey (hKey=0xbc) returned 0x0 [0027.150] RegEnumValueA (in: hKey=0x3c, dwIndex=0x0, lpValueName=0x2af380, lpcchValueName=0x2af37c, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ConsentPromptBehaviorAdmin", lpcchValueName=0x2af37c, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.150] RegEnumValueA (in: hKey=0x3c, dwIndex=0x1, lpValueName=0x2af380, lpcchValueName=0x2af37c, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ConsentPromptBehaviorUser", lpcchValueName=0x2af37c, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.150] RegEnumValueA (in: hKey=0x3c, dwIndex=0x2, lpValueName=0x2af380, lpcchValueName=0x2af37c, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableInstallerDetection", lpcchValueName=0x2af37c, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.150] RegEnumValueA (in: hKey=0x3c, dwIndex=0x3, lpValueName=0x2af380, lpcchValueName=0x2af37c, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableLUA", lpcchValueName=0x2af37c, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.150] RegEnumValueA (in: hKey=0x3c, dwIndex=0x4, lpValueName=0x2af380, lpcchValueName=0x2af37c, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableSecureUIAPaths", lpcchValueName=0x2af37c, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.150] RegEnumValueA (in: hKey=0x3c, dwIndex=0x5, lpValueName=0x2af380, lpcchValueName=0x2af37c, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableUIADesktopToggle", lpcchValueName=0x2af37c, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.150] RegEnumValueA (in: hKey=0x3c, dwIndex=0x6, lpValueName=0x2af380, lpcchValueName=0x2af37c, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableVirtualization", lpcchValueName=0x2af37c, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.150] RegEnumValueA (in: hKey=0x3c, dwIndex=0x7, lpValueName=0x2af380, lpcchValueName=0x2af37c, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="PromptOnSecureDesktop", lpcchValueName=0x2af37c, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.150] RegEnumValueA (in: hKey=0x3c, dwIndex=0x8, lpValueName=0x2af380, lpcchValueName=0x2af37c, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ValidateAdminCodeSignatures", lpcchValueName=0x2af37c, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.150] RegEnumValueA (in: hKey=0x3c, dwIndex=0x9, lpValueName=0x2af380, lpcchValueName=0x2af37c, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="dontdisplaylastusername", lpcchValueName=0x2af37c, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.150] RegEnumValueA (in: hKey=0x3c, dwIndex=0xa, lpValueName=0x2af380, lpcchValueName=0x2af37c, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="legalnoticecaption", lpcchValueName=0x2af37c, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.150] RegEnumValueA (in: hKey=0x3c, dwIndex=0xb, lpValueName=0x2af380, lpcchValueName=0x2af37c, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="legalnoticetext", lpcchValueName=0x2af37c, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.150] RegEnumValueA (in: hKey=0x3c, dwIndex=0xc, lpValueName=0x2af380, lpcchValueName=0x2af37c, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="scforceoption", lpcchValueName=0x2af37c, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.151] RegEnumValueA (in: hKey=0x3c, dwIndex=0xd, lpValueName=0x2af380, lpcchValueName=0x2af37c, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="shutdownwithoutlogon", lpcchValueName=0x2af37c, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.151] RegEnumValueA (in: hKey=0x3c, dwIndex=0xe, lpValueName=0x2af380, lpcchValueName=0x2af37c, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="undockwithoutlogon", lpcchValueName=0x2af37c, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.151] RegEnumValueA (in: hKey=0x3c, dwIndex=0xf, lpValueName=0x2af380, lpcchValueName=0x2af37c, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="FilterAdministratorToken", lpcchValueName=0x2af37c, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.151] RegEnumValueA (in: hKey=0x3c, dwIndex=0x10, lpValueName=0x2af380, lpcchValueName=0x2af37c, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="FilterAdministratorToken", lpcchValueName=0x2af37c, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x103 [0027.151] RegQueryValueExA (in: hKey=0x3c, lpValueName="EnableLUA", lpReserved=0x0, lpType=0x2af48c, lpData=0x0, lpcbData=0x2af494*=0x0 | out: lpType=0x2af48c*=0x4, lpData=0x0, lpcbData=0x2af494*=0x4) returned 0x0 [0027.151] RegQueryValueExA (in: hKey=0x3c, lpValueName="EnableLUA", lpReserved=0x0, lpType=0x2af48c, lpData=0xb7c420, lpcbData=0x2af494*=0x4 | out: lpType=0x2af48c*=0x4, lpData=0xb7c420*=0x1, lpcbData=0x2af494*=0x4) returned 0x0 [0027.151] RegCloseKey (hKey=0x3c) returned 0x0 [0027.151] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x2af508 | out: TokenHandle=0x2af508*=0x3c) returned 1 [0027.151] GetTokenInformation (in: TokenHandle=0x3c, TokenInformationClass=0x14, TokenInformation=0x2af504, TokenInformationLength=0x4, ReturnLength=0x2af500 | out: TokenInformation=0x2af504, ReturnLength=0x2af500) returned 1 [0027.151] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x2af4f4 | out: TokenHandle=0x2af4f4*=0xbc) returned 1 [0027.151] GetTokenInformation (in: TokenHandle=0xbc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af4f0 | out: TokenInformation=0x0, ReturnLength=0x2af4f0) returned 0 [0027.151] GetTokenInformation (in: TokenHandle=0xbc, TokenInformationClass=0x19, TokenInformation=0xb7c588, TokenInformationLength=0x14, ReturnLength=0x2af4f0 | out: TokenInformation=0xb7c588, ReturnLength=0x2af4f0) returned 1 [0027.151] GetSidSubAuthorityCount (pSid=0xb7c590*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0xb7c591 [0027.151] GetSidSubAuthority (pSid=0xb7c590*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0xb7c598 [0027.151] NtClose (Handle=0xbc) returned 0x0 [0027.152] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0027.155] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4098c8, lpbSaclPresent=0x2af5b0, pSacl=0x2af608, lpbSaclDefaulted=0x2af5b0 | out: lpbSaclPresent=0x2af5b0, pSacl=0x2af608, lpbSaclDefaulted=0x2af5b0) returned 1 [0027.155] CreateMutexA (lpMutexAttributes=0x2af5fc, bInitialOwner=0, lpName="") returned 0x100 [0027.155] GetLastError () returned 0x0 [0027.155] LocalFree (hMem=0x4098c8) returned 0x0 [0027.155] CryptAcquireContextW (in: phProv=0x2af628, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2af628*=0x408388) returned 1 [0027.167] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0027.168] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4098c8, lpbSaclPresent=0x2af5cc, pSacl=0x2af630, lpbSaclDefaulted=0x2af5cc | out: lpbSaclPresent=0x2af5cc, pSacl=0x2af630, lpbSaclDefaulted=0x2af5cc) returned 1 [0027.168] CreateEventA (lpEventAttributes=0x2af624, bManualReset=1, bInitialState=0, lpName="") returned 0x104 [0027.168] GetLastError () returned 0x0 [0027.168] LocalFree (hMem=0x4098c8) returned 0x0 [0027.168] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0027.169] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4098c8, lpbSaclPresent=0x2af5cc, pSacl=0x2af630, lpbSaclDefaulted=0x2af5cc | out: lpbSaclPresent=0x2af5cc, pSacl=0x2af630, lpbSaclDefaulted=0x2af5cc) returned 1 [0027.169] CreateEventA (lpEventAttributes=0x2af624, bManualReset=1, bInitialState=0, lpName="") returned 0x108 [0027.169] GetLastError () returned 0x0 [0027.169] LocalFree (hMem=0x4098c8) returned 0x0 [0027.169] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0027.169] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4098c8, lpbSaclPresent=0x2af5cc, pSacl=0x2af630, lpbSaclDefaulted=0x2af5cc | out: lpbSaclPresent=0x2af5cc, pSacl=0x2af630, lpbSaclDefaulted=0x2af5cc) returned 1 [0027.169] CreateEventA (lpEventAttributes=0x2af624, bManualReset=1, bInitialState=0, lpName="") returned 0x110 [0027.170] GetLastError () returned 0x0 [0027.170] LocalFree (hMem=0x4098c8) returned 0x0 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c270, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c270, cbMultiByte=10, lpWideCharStr=0xb7bb58, cchWideChar=10 | out: lpWideCharStr="svsho*.exe") returned 10 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c1e0, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c1e0, cbMultiByte=10, lpWideCharStr=0xb7fdc0, cchWideChar=10 | out: lpWideCharStr="schre*.bat") returned 10 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c198, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c198, cbMultiByte=7, lpWideCharStr=0xb7fe48, cchWideChar=7 | out: lpWideCharStr="V01.lo*") returned 7 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c150, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c150, cbMultiByte=7, lpWideCharStr=0xb7fed0, cchWideChar=7 | out: lpWideCharStr="V01.ch*") returned 7 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c108, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c108, cbMultiByte=11, lpWideCharStr=0xb7ff58, cchWideChar=11 | out: lpWideCharStr="V01res*.jrs") returned 11 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c0c0, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c0c0, cbMultiByte=11, lpWideCharStr=0x9b0448, cchWideChar=11 | out: lpWideCharStr="RacWmi*.sdf") returned 11 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c228, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c228, cbMultiByte=11, lpWideCharStr=0x9b05f8, cchWideChar=11 | out: lpWideCharStr="Web*V01.dat") returned 11 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c108, cbMultiByte=25, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 25 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c108, cbMultiByte=25, lpWideCharStr=0x9b0680, cchWideChar=25 | out: lpWideCharStr="System Volume Information") returned 25 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c150, cbMultiByte=12, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 12 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c150, cbMultiByte=12, lpWideCharStr=0x9b0708, cchWideChar=12 | out: lpWideCharStr="$RECYCLE.BIN") returned 12 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c198, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c198, cbMultiByte=8, lpWideCharStr=0x9b0790, cchWideChar=8 | out: lpWideCharStr="WebCache") returned 8 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c228, cbMultiByte=6, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0027.170] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c228, cbMultiByte=6, lpWideCharStr=0x9b0818, cchWideChar=6 | out: lpWideCharStr="Caches") returned 6 [0027.170] ExpandEnvironmentStringsA (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\WER\\ReportQueue\\", lpDst=0x9b2558, nSize=0x2800 | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\") returned 0x32 [0027.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x9b2558, cbMultiByte=49, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 49 [0027.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x9b2558, cbMultiByte=49, lpWideCharStr=0x9b08a0, cchWideChar=49 | out: lpWideCharStr="C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\") returned 49 [0027.171] ExpandEnvironmentStringsA (in: lpSrc="%windir%", lpDst=0x9b2558, nSize=0x2800 | out: lpDst="C:\\Windows") returned 0xb [0027.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x9b2558, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0027.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x9b2558, cbMultiByte=10, lpWideCharStr=0x9b0928, cchWideChar=10 | out: lpWideCharStr="C:\\Windows") returned 10 [0027.171] ExpandEnvironmentStringsA (in: lpSrc="%temp%", lpDst=0x9b2558, nSize=0x2800 | out: lpDst="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 0x25 [0027.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x9b2558, cbMultiByte=36, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 36 [0027.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x9b2558, cbMultiByte=36, lpWideCharStr=0x9b09b0, cchWideChar=36 | out: lpWideCharStr="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 36 [0027.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c108, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0027.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c108, cbMultiByte=7, lpWideCharStr=0x9b0a38, cchWideChar=7 | out: lpWideCharStr=".locked") returned 7 [0027.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c468, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0027.171] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xb7c468, cbMultiByte=11, lpWideCharStr=0x9b0ac0, cchWideChar=11 | out: lpWideCharStr=".readme_txt") returned 11 [0027.171] WaitForSingleObject (hHandle=0x100, dwMilliseconds=0xffffffff) returned 0x0 [0027.171] GetSystemWow64DirectoryW (in: lpBuffer=0x9b77f8, uSize=0x40 | out: lpBuffer="C:\\Windows\\SysWOW64") returned 0x13 [0027.171] FindFirstFileExW (in: lpFileName="C:\\Windows\\SysWOW64\\*.dll", fInfoLevelId=0x1, lpFindFileData=0x2af35c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af35c) returned 0x409860 [0027.172] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AACLIENT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.172] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AACLIENT.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AACLIENT.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.172] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.172] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCESSIBILITYCPL.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0027.172] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCESSIBILITYCPL.DLL", cchWideChar=20, lpMultiByteStr=0xb7c8e8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCESSIBILITYCPL.DLL", lpUsedDefaultChar=0x0) returned 20 [0027.173] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCTRES.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCTRES.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCTRES.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.173] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLEDIT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLEDIT.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACLEDIT.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.173] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLUI.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLUI.DLL", cchWideChar=9, lpMultiByteStr=0xb7c8a0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACLUI.DLL", lpUsedDefaultChar=0x0) returned 9 [0027.173] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACPPAGE.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACPPAGE.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACPPAGE.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.173] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTER.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTER.DLL", cchWideChar=16, lpMultiByteStr=0xb7c8a0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIONCENTER.DLL", lpUsedDefaultChar=0x0) returned 16 [0027.173] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTERCPL.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTERCPL.DLL", cchWideChar=19, lpMultiByteStr=0xb7c8e8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIONCENTERCPL.DLL", lpUsedDefaultChar=0x0) returned 19 [0027.173] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIVEDS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIVEDS.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIVEDS.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.173] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTXPRXY.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTXPRXY.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTXPRXY.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.173] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMPARSE.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMPARSE.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADMPARSE.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.173] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMTMPL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMTMPL.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADMTMPL.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.173] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADPROVIDER.DLL", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.173] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADPROVIDER.DLL", cchWideChar=14, lpMultiByteStr=0xb7c8a0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 14 [0027.174] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDP.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDP.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSLDP.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.174] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDPC.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDPC.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSLDPC.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.174] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSMSEXT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSMSEXT.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSMSEXT.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.174] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSNT.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSNT.DLL", cchWideChar=9, lpMultiByteStr=0xb7c8a0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSNT.DLL", lpUsedDefaultChar=0x0) returned 9 [0027.174] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADTSCHEMA.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADTSCHEMA.DLL", cchWideChar=13, lpMultiByteStr=0xb7c8e8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADTSCHEMA.DLL", lpUsedDefaultChar=0x0) returned 13 [0027.174] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVAPI32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVAPI32.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADVAPI32.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.174] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVPACK.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVPACK.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADVPACK.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.174] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AECACHE.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AECACHE.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AECACHE.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.174] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AEEVTS.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AEEVTS.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AEEVTS.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.174] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALTTAB.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALTTAB.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALTTAB.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.174] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMSTREAM.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.174] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMSTREAM.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AMSTREAM.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.174] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMXREAD.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMXREAD.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AMXREAD.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.175] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APDS.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APDS.DLL", cchWideChar=8, lpMultiByteStr=0xb7c8e8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APDS.DLL", lpUsedDefaultChar=0x0) returned 8 [0027.175] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-CONSOLE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-CONSOLE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0xb7c8a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-CONSOLE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0027.175] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DATETIME-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DATETIME-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xb7c8e8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-DATETIME-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0027.175] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DEBUG-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DEBUG-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0xb7c8a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-DEBUG-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0027.175] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DELAYLOAD-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DELAYLOAD-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0xb7c8e8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-DELAYLOAD-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0027.175] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xb7c8a0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0027.175] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FIBERS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FIBERS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb7c8e8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FIBERS-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.175] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xb7c8a0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FILE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0027.175] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-2-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-2-0.DLL", cchWideChar=31, lpMultiByteStr=0xb7c8e8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FILE-L1-2-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0027.175] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L2-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0027.175] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L2-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xb7c8a0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FILE-L2-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0027.175] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HANDLE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HANDLE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb7c8e8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-HANDLE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.176] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HEAP-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0027.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HEAP-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xb7c8a0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-HEAP-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0027.176] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-INTERLOCKED-L1-1-0.DLL", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0027.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-INTERLOCKED-L1-1-0.DLL", cchWideChar=38, lpMultiByteStr=0xb7c8e8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-INTERLOCKED-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 38 [0027.176] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-IO-L1-1-0.DLL", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0027.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-IO-L1-1-0.DLL", cchWideChar=29, lpMultiByteStr=0xb7c8a0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-IO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 29 [0027.176] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0027.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xb7c8e8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0027.176] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0027.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0xb7c8a0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LOCALIZATION-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 39 [0027.176] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-2-0.DLL", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0027.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-2-0.DLL", cchWideChar=39, lpMultiByteStr=0xb7c8e8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LOCALIZATION-L1-2-0.DLL", lpUsedDefaultChar=0x0) returned 39 [0027.176] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALREGISTRY-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0027.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALREGISTRY-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xb7c8a0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LOCALREGISTRY-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0027.176] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.176] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MEMORY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MEMORY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb7c8e8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-MEMORY-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.177] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MISC-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MISC-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xb7c8a0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-MISC-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0027.177] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-NAMEDPIPE-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-NAMEDPIPE-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0xb7c8e8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-NAMEDPIPE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0027.177] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0.DLL", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0.DLL", cchWideChar=45, lpMultiByteStr=0xb7c8a0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 45 [0027.177] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL", cchWideChar=41, lpMultiByteStr=0xb7c8e8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 41 [0027.177] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1.DLL", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1.DLL", cchWideChar=41, lpMultiByteStr=0xb7c8a0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1.DLL", lpUsedDefaultChar=0x0) returned 41 [0027.177] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROFILE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROFILE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0xb7c8e8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROFILE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0027.177] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-RTLSUPPORT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-RTLSUPPORT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0xb7c8a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-RTLSUPPORT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 37 [0027.177] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-STRING-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-STRING-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb7c8e8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-STRING-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.177] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0027.177] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0xb7c8a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-SYNCH-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0027.177] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-2-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-2-0.DLL", cchWideChar=32, lpMultiByteStr=0xb7c8e8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-SYNCH-L1-2-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0027.178] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYSINFO-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYSINFO-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0xb7c8a0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-SYSINFO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0027.178] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-THREADPOOL-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-THREADPOOL-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0xb7c8e8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-THREADPOOL-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 37 [0027.178] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-TIMEZONE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-TIMEZONE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xb7c8a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-TIMEZONE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0027.178] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-UTIL-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-UTIL-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xb7c8e8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-UTIL-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0027.178] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb7c8a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-XSTATE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.178] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L2-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L2-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb7c8e8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-XSTATE-L2-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.178] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xb7c8a0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-CONIO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0027.178] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONVERT-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONVERT-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb7c8e8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-CONVERT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.178] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-ENVIRONMENT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-ENVIRONMENT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0xb7c8a0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-ENVIRONMENT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 37 [0027.178] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-FILESYSTEM-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-FILESYSTEM-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0xb7c8e8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-FILESYSTEM-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0027.178] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-HEAP-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-HEAP-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0xb7c8a0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-HEAP-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 30 [0027.179] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-LOCALE-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-LOCALE-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0xb7c8e8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-LOCALE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0027.179] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MATH-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MATH-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0xb7c8a0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-MATH-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 30 [0027.179] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MULTIBYTE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MULTIBYTE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xb7c8e8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-MULTIBYTE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0027.179] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PRIVATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PRIVATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb7c8a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-PRIVATE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.179] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PROCESS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PROCESS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb7c8e8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-PROCESS-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.179] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb7c8a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.179] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STDIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STDIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xb7c8e8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-STDIO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0027.179] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STRING-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STRING-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0xb7c8a0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-STRING-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0027.179] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-TIME-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-TIME-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0xb7c8e8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-TIME-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 30 [0027.179] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-UTILITY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-UTILITY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb7c8a0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-UTILITY-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.179] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.179] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-EVENTING-PROVIDER-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-EVENTING-PROVIDER-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0xb7c8e8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-EVENTING-PROVIDER-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 39 [0027.180] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-BASE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-BASE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xb7c8a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SECURITY-BASE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0027.180] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xb7c8e8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0027.180] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xb7c8a0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0027.180] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-CORE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-CORE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0xb7c8e8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-CORE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0027.180] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xb7c8a0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0027.180] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xb7c8e8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0027.180] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0xb7c8a0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0027.180] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APILOGEN.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APILOGEN.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APILOGEN.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.180] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APIRCL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APIRCL.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APIRCL.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.180] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APISETSCHEMA.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APISETSCHEMA.DLL", cchWideChar=16, lpMultiByteStr=0xb7c8e8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APISETSCHEMA.DLL", lpUsedDefaultChar=0x0) returned 16 [0027.180] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHELP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHELP.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPHELP.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.181] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHLPDM.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHLPDM.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPHLPDM.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.181] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDAPI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDAPI.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPIDAPI.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.181] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDPOLICYENGINEAPI.DLL", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDPOLICYENGINEAPI.DLL", cchWideChar=24, lpMultiByteStr=0xb7c8e8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPIDPOLICYENGINEAPI.DLL", lpUsedDefaultChar=0x0) returned 24 [0027.181] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGMTS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGMTS.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPMGMTS.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.181] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGR.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGR.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPMGR.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.181] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APSS.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APSS.DLL", cchWideChar=8, lpMultiByteStr=0xb7c8a0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APSS.DLL", lpUsedDefaultChar=0x0) returned 8 [0027.181] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASFERROR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASFERROR.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASFERROR.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.181] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASPNET_COUNTERS.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASPNET_COUNTERS.DLL", cchWideChar=19, lpMultiByteStr=0xb7c8a0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASPNET_COUNTERS.DLL", lpUsedDefaultChar=0x0) returned 19 [0027.181] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASYCFILT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASYCFILT.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASYCFILT.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.181] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.181] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL.DLL", cchWideChar=7, lpMultiByteStr=0xb7c8a0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATL.DLL", lpUsedDefaultChar=0x0) returned 7 [0027.182] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL100.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL100.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATL100.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.182] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL110.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL110.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATL110.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.182] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMFD.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMFD.DLL", cchWideChar=9, lpMultiByteStr=0xb7c8e8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATMFD.DLL", lpUsedDefaultChar=0x0) returned 9 [0027.182] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMLIB.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMLIB.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATMLIB.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.182] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIODEV.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIODEV.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIODEV.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.182] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOENG.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOENG.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIOENG.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.182] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOKSE.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOKSE.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIOKSE.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.182] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOSES.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOSES.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIOSES.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.182] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITNATIVESNAPIN.DLL", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITNATIVESNAPIN.DLL", cchWideChar=21, lpMultiByteStr=0xb7c8e8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDITNATIVESNAPIN.DLL", lpUsedDefaultChar=0x0) returned 21 [0027.182] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.182] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLICYGPINTEROP.DLL", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0027.183] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLICYGPINTEROP.DLL", cchWideChar=24, lpMultiByteStr=0xb7c8a0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDITPOLICYGPINTEROP.DLL", lpUsedDefaultChar=0x0) returned 24 [0027.183] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.183] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLMSG.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.183] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLMSG.DLL", cchWideChar=15, lpMultiByteStr=0xb7c8e8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDITPOLMSG.DLL", lpUsedDefaultChar=0x0) returned 15 [0027.183] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.183] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWCFG.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0027.183] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWCFG.DLL", cchWideChar=13, lpMultiByteStr=0xb7c8a0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWCFG.DLL", lpUsedDefaultChar=0x0) returned 13 [0027.183] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.183] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWGP.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.183] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWGP.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWGP.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.183] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.183] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWSNAPIN.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.183] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWSNAPIN.DLL", cchWideChar=16, lpMultiByteStr=0xb7c8a0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWSNAPIN.DLL", lpUsedDefaultChar=0x0) returned 16 [0027.183] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.183] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWWIZFWK.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.183] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWWIZFWK.DLL", cchWideChar=16, lpMultiByteStr=0xb7c8e8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWWIZFWK.DLL", lpUsedDefaultChar=0x0) returned 16 [0027.183] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.183] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHUI.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.183] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHUI.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHUI.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.183] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.183] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHZ.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.183] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHZ.DLL", cchWideChar=9, lpMultiByteStr=0xb7c8e8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHZ.DLL", lpUsedDefaultChar=0x0) returned 9 [0027.183] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.183] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTOPLAY.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.183] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTOPLAY.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTOPLAY.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.184] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYAPI.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYAPI.DLL", cchWideChar=23, lpMultiByteStr=0xb7c8e8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUXILIARYDISPLAYAPI.DLL", lpUsedDefaultChar=0x0) returned 23 [0027.184] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYCPL.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYCPL.DLL", cchWideChar=23, lpMultiByteStr=0xb7c8a0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUXILIARYDISPLAYCPL.DLL", lpUsedDefaultChar=0x0) returned 23 [0027.184] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVICAP32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVICAP32.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AVICAP32.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.184] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVIFIL32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVIFIL32.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AVIFIL32.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.184] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVRT.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVRT.DLL", cchWideChar=8, lpMultiByteStr=0xb7c8e8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AVRT.DLL", lpUsedDefaultChar=0x0) returned 8 [0027.184] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLES.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLES.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AZROLES.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.184] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLEUI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLEUI.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AZROLEUI.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.184] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZSQLEXT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZSQLEXT.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AZSQLEXT.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.184] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BASECSP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BASECSP.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASECSP.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.184] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BATMETER.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BATMETER.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BATMETER.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.184] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPT.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.184] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPT.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCRYPT.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.185] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPTPRIMITIVES.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPTPRIMITIVES.DLL", cchWideChar=20, lpMultiByteStr=0xb7c8a0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCRYPTPRIMITIVES.DLL", lpUsedDefaultChar=0x0) returned 20 [0027.185] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIDISPL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIDISPL.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIDISPL.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.185] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIOCREDPROV.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIOCREDPROV.DLL", cchWideChar=15, lpMultiByteStr=0xb7c8a0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIOCREDPROV.DLL", lpUsedDefaultChar=0x0) returned 15 [0027.185] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPERF.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPERF.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPERF.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.185] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX2.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX2.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX2.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.185] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX3.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX3.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX3.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.185] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX4.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX4.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX4.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.185] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX5.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX5.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX5.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.185] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX6.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX6.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX6.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.185] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BLACKBOX.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BLACKBOX.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLACKBOX.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.185] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BOOTVID.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.185] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BOOTVID.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BOOTVID.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.186] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWCLI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWCLI.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BROWCLI.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.186] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWSEUI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWSEUI.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BROWSEUI.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.186] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BTPANUI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BTPANUI.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BTPANUI.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.186] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWCONTEXTHANDLER.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWCONTEXTHANDLER.DLL", cchWideChar=20, lpMultiByteStr=0xb7c8a0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BWCONTEXTHANDLER.DLL", lpUsedDefaultChar=0x0) returned 20 [0027.186] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWUNPAIRELEVATED.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWUNPAIRELEVATED.DLL", cchWideChar=20, lpMultiByteStr=0xb7c8e8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BWUNPAIRELEVATED.DLL", lpUsedDefaultChar=0x0) returned 20 [0027.186] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABINET.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABINET.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABINET.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.186] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABVIEW.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABVIEW.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABVIEW.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.186] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPIPROVIDER.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPIPROVIDER.DLL", cchWideChar=16, lpMultiByteStr=0xb7c8a0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAPIPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 16 [0027.186] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPISP.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPISP.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAPISP.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.186] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRV.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRV.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATSRV.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.186] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRVPS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.186] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRVPS.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATSRVPS.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.186] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRVUT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRVUT.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATSRVUT.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.187] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CCA.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CCA.DLL", cchWideChar=7, lpMultiByteStr=0xb7c8e8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CCA.DLL", lpUsedDefaultChar=0x0) returned 7 [0027.187] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CDOSYS.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CDOSYS.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CDOSYS.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.187] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTCLI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTCLI.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTCLI.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.187] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTCREDPROVIDER.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTCREDPROVIDER.DLL", cchWideChar=20, lpMultiByteStr=0xb7c8a0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTCREDPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 20 [0027.187] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENC.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENC.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTENC.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.187] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENROLL.DLL", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENROLL.DLL", cchWideChar=14, lpMultiByteStr=0xb7c8a0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTENROLL.DLL", lpUsedDefaultChar=0x0) returned 14 [0027.187] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENROLLUI.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENROLLUI.DLL", cchWideChar=16, lpMultiByteStr=0xb7c8e8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTENROLLUI.DLL", lpUsedDefaultChar=0x0) returned 16 [0027.187] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTMGR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTMGR.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTMGR.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.187] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTPOLENG.DLL", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTPOLENG.DLL", cchWideChar=14, lpMultiByteStr=0xb7c8e8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTPOLENG.DLL", lpUsedDefaultChar=0x0) returned 14 [0027.187] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CEWMDM.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.187] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CEWMDM.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CEWMDM.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.188] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CFGBKEND.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CFGBKEND.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFGBKEND.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.188] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CFGMGR32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CFGMGR32.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFGMGR32.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.188] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHSBRKR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHSBRKR.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHSBRKR.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.188] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHTBRKR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHTBRKR.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHTBRKR.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.188] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHXREADINGSTRINGIME.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHXREADINGSTRINGIME.DLL", cchWideChar=23, lpMultiByteStr=0xb7c8e8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHXREADINGSTRINGIME.DLL", lpUsedDefaultChar=0x0) returned 23 [0027.188] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CIC.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CIC.DLL", cchWideChar=7, lpMultiByteStr=0xb7c8a0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CIC.DLL", lpUsedDefaultChar=0x0) returned 7 [0027.188] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLB.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLB.DLL", cchWideChar=7, lpMultiByteStr=0xb7c8e8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLB.DLL", lpUsedDefaultChar=0x0) returned 7 [0027.188] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLBCATQ.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLBCATQ.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLBCATQ.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.188] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLFSW32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLFSW32.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLFSW32.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.188] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLICONFG.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLICONFG.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLICONFG.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.188] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLUSAPI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLUSAPI.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLUSAPI.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.189] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMCFG32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMCFG32.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMCFG32.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.189] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMDIAL32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMDIAL32.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMDIAL32.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.189] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMICRYPTINSTALL.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMICRYPTINSTALL.DLL", cchWideChar=19, lpMultiByteStr=0xb7c8a0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMICRYPTINSTALL.DLL", lpUsedDefaultChar=0x0) returned 19 [0027.189] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMIFW.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMIFW.DLL", cchWideChar=9, lpMultiByteStr=0xb7c8e8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMIFW.DLL", lpUsedDefaultChar=0x0) returned 9 [0027.189] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMIPNPINSTALL.DLL", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMIPNPINSTALL.DLL", cchWideChar=17, lpMultiByteStr=0xb7c8a0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMIPNPINSTALL.DLL", lpUsedDefaultChar=0x0) returned 17 [0027.189] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMLUA.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMLUA.DLL", cchWideChar=9, lpMultiByteStr=0xb7c8e8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMLUA.DLL", lpUsedDefaultChar=0x0) returned 9 [0027.189] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMPBK32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMPBK32.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMPBK32.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.189] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMSTPLUA.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMSTPLUA.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMSTPLUA.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.189] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMUTIL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMUTIL.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMUTIL.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.189] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNGAUDIT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNGAUDIT.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CNGAUDIT.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.189] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNGPROVIDER.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.189] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNGPROVIDER.DLL", cchWideChar=15, lpMultiByteStr=0xb7c8a0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CNGPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 15 [0027.190] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNVFAT.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNVFAT.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CNVFAT.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.190] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLBACT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLBACT.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COLBACT.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.190] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLORCNV.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLORCNV.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COLORCNV.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.190] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLORUI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLORUI.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COLORUI.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.190] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMCAT.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMCAT.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMCAT.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.190] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMCTL32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMCTL32.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMCTL32.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.190] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMDLG32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMDLG32.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMDLG32.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.190] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMPOBJ.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMPOBJ.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPOBJ.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.190] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMPSTUI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMPSTUI.DLL", cchWideChar=12, lpMultiByteStr=0xb7c8e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPSTUI.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.190] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMREPL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMREPL.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMREPL.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.190] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMRES.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMRES.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMRES.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.191] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMSNAP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMSNAP.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMSNAP.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.191] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMSVCS.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMSVCS.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMSVCS.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.191] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMUID.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMUID.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMUID.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.191] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONCRT140.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONCRT140.DLL", cchWideChar=13, lpMultiByteStr=0xb7c8e8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONCRT140.DLL", lpUsedDefaultChar=0x0) returned 13 [0027.191] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONNECT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONNECT.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONNECT.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.191] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONSOLE.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONSOLE.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONSOLE.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.191] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CORPOL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CORPOL.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CORPOL.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.191] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CPFILTERS.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CPFILTERS.DLL", cchWideChar=13, lpMultiByteStr=0xb7c8e8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CPFILTERS.DLL", lpUsedDefaultChar=0x0) returned 13 [0027.191] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CREDSSP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CREDSSP.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CREDSSP.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.191] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CREDUI.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.191] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CREDUI.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CREDUI.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.191] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.192] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CRTDLL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.192] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CRTDLL.DLL", cchWideChar=10, lpMultiByteStr=0xb7c8a0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CRTDLL.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.192] FindNextFileW (in: hFindFile=0x409860, lpFindFileData=0x2af35c | out: lpFindFileData=0x2af35c) returned 1 [0027.192] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CRYPT32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.192] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CRYPT32.DLL", cchWideChar=11, lpMultiByteStr=0xb7c8e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CRYPT32.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.192] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="crypt32.dll", BaseAddress=0x2af5d0 | out: BaseAddress=0x2af5d0*=0x75720000) returned 0x0 [0027.193] FindClose (in: hFindFile=0x409860 | out: hFindFile=0x409860) returned 1 [0027.194] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdXOKTkkjURSPoRv6ciKwuUyK8\r\n+7EiuEHzxMGanjcW6+UbzAT1+MKH43GnfnWdTedvkgYD5Zg8lNUasTJ0FdRzHLDO\r\np5ciKIG0vITHV9kDtV/NtU2M/uKYO51wmO4fC2eLWZRS6ru7CQNJYfId0nXGFmU6\r\n3tqF+NLM1KW2f/gHnwIDAQAB\r\n-----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x0, pcbBinary=0x2af5f8, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x0, pcbBinary=0x2af5f8, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0027.194] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdXOKTkkjURSPoRv6ciKwuUyK8\r\n+7EiuEHzxMGanjcW6+UbzAT1+MKH43GnfnWdTedvkgYD5Zg8lNUasTJ0FdRzHLDO\r\np5ciKIG0vITHV9kDtV/NtU2M/uKYO51wmO4fC2eLWZRS6ru7CQNJYfId0nXGFmU6\r\n3tqF+NLM1KW2f/gHnwIDAQAB\r\n-----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x9b77f8, pcbBinary=0x2af5f8, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x9b77f8, pcbBinary=0x2af5f8, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0027.194] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x8, pbEncoded=0x9b77f8, cbEncoded=0xa2, dwFlags=0x0, pvStructInfo=0x0, pcbStructInfo=0x2af5f8 | out: pvStructInfo=0x0, pcbStructInfo=0x2af5f8) returned 1 [0027.195] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x8, pbEncoded=0x9b77f8, cbEncoded=0xa2, dwFlags=0x0, pvStructInfo=0x9b7e88, pcbStructInfo=0x2af5f8 | out: pvStructInfo=0x9b7e88, pcbStructInfo=0x2af5f8) returned 1 [0027.195] CryptImportPublicKeyInfo (in: hCryptProv=0x408388, dwCertEncodingType=0x10001, pInfo=0x9b7e88*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x9b7eb8*, PublicKey.cbData=0x8c, PublicKey.pbData=0x9b7ec0*, PublicKey.cUnusedBits=0x0), phKey=0x2af600 | out: phKey=0x2af600*=0x409860) returned 1 [0027.196] ReleaseMutex (hMutex=0x100) returned 1 [0027.196] StartServiceCtrlDispatcherW (lpServiceTable=0x2af670*(lpServiceName="", lpServiceProc=0xdff270)) returned 0 [0027.198] GetLastError () returned 0x427 [0027.198] GetCommandLineW () returned="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1:bin C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE" [0027.198] CommandLineToArgvW (in: lpCmdLine="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1:bin C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\CUsersGrujaAppDataRoaming6Xx3WI1ICfwJbN6F1OD~1.EXE", pNumArgs=0x2af660 | out: pNumArgs=0x2af660) returned 0x422178*="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1:bin" [0027.198] Wow64DisableWow64FsRedirection (in: OldValue=0x2af640 | out: OldValue=0x2af640*=0x0) returned 1 [0027.198] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x9b7e88, nSize=0x200 | out: lpFilename="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1:bin" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\mov7tw~1:bin")) returned 0x2e [0027.198] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x9b8690, nSize=0x200 | out: lpFilename="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1:bin" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\mov7tw~1:bin")) returned 0x2e [0027.198] GetEnvironmentVariableW (in: lpName="COMPUTERNAME", lpBuffer=0x9b8e98, nSize=0x40 | out: lpBuffer="XDUWTFONO") returned 0x9 [0027.199] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="XDUWTFONO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.199] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="XDUWTFONO", cchWideChar=9, lpMultiByteStr=0xb7c228, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XDUWTFONO", lpUsedDefaultChar=0x0) returned 9 [0027.199] GetEnvironmentVariableW (in: lpName="USERNAME", lpBuffer=0x9b8e98, nSize=0x40 | out: lpBuffer="5p5NrGJn0jS HALPmcxz") returned 0x14 [0027.199] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="5p5NrGJn0jS HALPmcxz", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0027.199] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="5p5NrGJn0jS HALPmcxz", cchWideChar=20, lpMultiByteStr=0xb7c978, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="5p5NrGJn0jS HALPmcxz", lpUsedDefaultChar=0x0) returned 20 [0027.199] CryptAcquireContextW (in: phProv=0x2af49c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2af49c*=0x422438) returned 1 [0027.199] CryptCreateHash (in: hProv=0x422438, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x2af49c | out: phHash=0x2af49c) returned 1 [0027.199] CryptHashData (hHash=0x4222a0, pbData=0xb7c198, dwDataLen=0x20, dwFlags=0x0) returned 1 [0027.199] CryptGetHashParam (in: hHash=0x4222a0, dwParam=0x4, pbData=0x2af4a0, pdwDataLen=0x2af4ac, dwFlags=0x0 | out: pbData=0x2af4a0, pdwDataLen=0x2af4ac) returned 1 [0027.200] CryptGetHashParam (in: hHash=0x4222a0, dwParam=0x2, pbData=0xb7c9c0, pdwDataLen=0x2af4a0, dwFlags=0x0 | out: pbData=0xb7c9c0, pdwDataLen=0x2af4a0) returned 1 [0027.200] CryptDestroyHash (hHash=0x4222a0) returned 1 [0027.200] CryptReleaseContext (hProv=0x422438, dwFlags=0x0) returned 1 [0027.200] OpenEventA (dwDesiredAccess=0x100002, bInheritHandle=0, lpName="{DB697C21-3780-0C33-4345-2F1B4C2F2F3D}") returned 0x0 [0027.200] GetLastError () returned 0x2 [0027.200] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0027.201] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4214f0, lpbSaclPresent=0x2af454, pSacl=0x2af4b8, lpbSaclDefaulted=0x2af454 | out: lpbSaclPresent=0x2af454, pSacl=0x2af4b8, lpbSaclDefaulted=0x2af454) returned 1 [0027.201] CreateEventA (lpEventAttributes=0x2af4ac, bManualReset=1, bInitialState=0, lpName="{DB697C21-3780-0C33-4345-2F1B4C2F2F3D}") returned 0x118 [0027.201] GetLastError () returned 0x0 [0027.201] SetSecurityInfo () returned 0x0 [0027.355] LocalFree (hMem=0x4214f0) returned 0x0 [0027.355] CryptAcquireContextW (in: phProv=0x2af49c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2af49c*=0x422510) returned 1 [0027.356] CryptCreateHash (in: hProv=0x422510, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x2af49c | out: phHash=0x2af49c) returned 1 [0027.356] CryptHashData (hHash=0x4222a0, pbData=0xb7c198, dwDataLen=0xb, dwFlags=0x0) returned 1 [0027.356] CryptGetHashParam (in: hHash=0x4222a0, dwParam=0x4, pbData=0x2af4a0, pdwDataLen=0x2af4ac, dwFlags=0x0 | out: pbData=0x2af4a0, pdwDataLen=0x2af4ac) returned 1 [0027.356] CryptGetHashParam (in: hHash=0x4222a0, dwParam=0x2, pbData=0x9b27f8, pdwDataLen=0x2af4a0, dwFlags=0x0 | out: pbData=0x9b27f8, pdwDataLen=0x2af4a0) returned 1 [0027.356] CryptDestroyHash (hHash=0x4222a0) returned 1 [0027.356] CryptReleaseContext (hProv=0x422510, dwFlags=0x0) returned 1 [0027.356] OpenEventA (dwDesiredAccess=0x100002, bInheritHandle=0, lpName="Global\\{92EAD6E2-16CB-825D-3763-CAC9D6ED414E}") returned 0x0 [0027.356] GetLastError () returned 0x2 [0027.356] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0027.356] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4214f0, lpbSaclPresent=0x2af454, pSacl=0x2af4b8, lpbSaclDefaulted=0x2af454 | out: lpbSaclPresent=0x2af454, pSacl=0x2af4b8, lpbSaclDefaulted=0x2af454) returned 1 [0027.357] CreateEventA (lpEventAttributes=0x2af4ac, bManualReset=1, bInitialState=0, lpName="Global\\{92EAD6E2-16CB-825D-3763-CAC9D6ED414E}") returned 0x11c [0027.357] GetLastError () returned 0x0 [0027.357] SetSecurityInfo () returned 0x0 [0027.357] LocalFree (hMem=0x4214f0) returned 0x0 [0027.357] CryptAcquireContextW (in: phProv=0x2af49c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2af49c*=0x422510) returned 1 [0027.357] CryptCreateHash (in: hProv=0x422510, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x2af49c | out: phHash=0x2af49c) returned 1 [0027.357] CryptHashData (hHash=0x4222a0, pbData=0xb7c198, dwDataLen=0xb, dwFlags=0x0) returned 1 [0027.357] CryptGetHashParam (in: hHash=0x4222a0, dwParam=0x4, pbData=0x2af4a0, pdwDataLen=0x2af4ac, dwFlags=0x0 | out: pbData=0x2af4a0, pdwDataLen=0x2af4ac) returned 1 [0027.357] CryptGetHashParam (in: hHash=0x4222a0, dwParam=0x2, pbData=0x9b2888, pdwDataLen=0x2af4a0, dwFlags=0x0 | out: pbData=0x9b2888, pdwDataLen=0x2af4a0) returned 1 [0027.357] CryptDestroyHash (hHash=0x4222a0) returned 1 [0027.357] CryptReleaseContext (hProv=0x422510, dwFlags=0x0) returned 1 [0027.357] OpenMutexA (dwDesiredAccess=0x100002, bInheritHandle=0, lpName="Global\\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E}") returned 0x0 [0027.358] GetLastError () returned 0x2 [0027.358] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0027.358] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4214f0, lpbSaclPresent=0x2af460, pSacl=0x2af4b8, lpbSaclDefaulted=0x2af460 | out: lpbSaclPresent=0x2af460, pSacl=0x2af4b8, lpbSaclDefaulted=0x2af460) returned 1 [0027.358] CreateMutexA (lpMutexAttributes=0x2af4ac, bInitialOwner=0, lpName="Global\\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E}") returned 0x148 [0027.358] GetLastError () returned 0x0 [0027.358] SetSecurityInfo () returned 0x0 [0027.358] LocalFree (hMem=0x4214f0) returned 0x0 [0027.358] WaitForSingleObject (hHandle=0x148, dwMilliseconds=0x64) returned 0x0 [0027.358] ReleaseMutex (hMutex=0x148) returned 1 [0027.358] SetEvent (hEvent=0x118) returned 1 [0027.358] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x14c [0027.361] Process32FirstW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0027.361] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0027.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="system", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0027.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="system", cchWideChar=6, lpMultiByteStr=0x9b28d0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="system", lpUsedDefaultChar=0x0) returned 6 [0027.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="System", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0027.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="System", cchWideChar=6, lpMultiByteStr=0x9b28d0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="System", lpUsedDefaultChar=0x0) returned 6 [0027.362] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0027.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smss.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smss.exe", cchWideChar=8, lpMultiByteStr=0x9b2960, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smss.exe", lpUsedDefaultChar=0x0) returned 8 [0027.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smss.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smss.exe", cchWideChar=8, lpMultiByteStr=0x9b2960, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smss.exe", lpUsedDefaultChar=0x0) returned 8 [0027.362] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0027.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x9b29f0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 9 [0027.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x9b29f0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 9 [0027.363] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0027.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=11, lpMultiByteStr=0x9b2a38, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wininit.exe", lpUsedDefaultChar=0x0) returned 11 [0027.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=11, lpMultiByteStr=0x9b2a38, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wininit.exe", lpUsedDefaultChar=0x0) returned 11 [0027.364] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0027.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x9b2a80, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 9 [0027.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x9b2a80, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 9 [0027.364] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0027.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="winlogon.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="winlogon.exe", cchWideChar=12, lpMultiByteStr=0x9b2ac8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winlogon.exe", lpUsedDefaultChar=0x0) returned 12 [0027.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="winlogon.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="winlogon.exe", cchWideChar=12, lpMultiByteStr=0x9b2ac8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winlogon.exe", lpUsedDefaultChar=0x0) returned 12 [0027.365] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0027.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=12, lpMultiByteStr=0x9b2b10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="services.exe", lpUsedDefaultChar=0x0) returned 12 [0027.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=12, lpMultiByteStr=0x9b2b10, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="services.exe", lpUsedDefaultChar=0x0) returned 12 [0027.365] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0027.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x9b2b58, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 9 [0027.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x9b2b58, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 9 [0027.366] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0027.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsm.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsm.exe", cchWideChar=7, lpMultiByteStr=0x9b2ba0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsm.exe", lpUsedDefaultChar=0x0) returned 7 [0027.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsm.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsm.exe", cchWideChar=7, lpMultiByteStr=0x9b2ba0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsm.exe", lpUsedDefaultChar=0x0) returned 7 [0027.367] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0027.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2be8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2be8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.367] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0027.368] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.368] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2c30, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.368] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.368] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2c30, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.368] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0027.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2c78, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2c78, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.369] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0027.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2cc0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2cc0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.369] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0027.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2d08, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2d08, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.370] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0027.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=11, lpMultiByteStr=0x9b2d50, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audiodg.exe", lpUsedDefaultChar=0x0) returned 11 [0027.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=11, lpMultiByteStr=0x9b2d50, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audiodg.exe", lpUsedDefaultChar=0x0) returned 11 [0027.371] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0027.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2d98, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2d98, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.371] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0027.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2de0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2de0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.372] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x310, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0027.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dwm.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dwm.exe", cchWideChar=7, lpMultiByteStr=0x9b28d0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dwm.exe", lpUsedDefaultChar=0x0) returned 7 [0027.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dwm.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dwm.exe", cchWideChar=7, lpMultiByteStr=0x9b28d0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dwm.exe", lpUsedDefaultChar=0x0) returned 7 [0027.372] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x44c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0027.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x9b2e28, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exe", lpUsedDefaultChar=0x0) returned 12 [0027.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x9b2e28, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exe", lpUsedDefaultChar=0x0) returned 12 [0027.373] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0027.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0x9b2de0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spoolsv.exe", lpUsedDefaultChar=0x0) returned 11 [0027.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0x9b2de0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spoolsv.exe", lpUsedDefaultChar=0x0) returned 11 [0027.374] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0027.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0x9b2e70, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhost.exe", lpUsedDefaultChar=0x0) returned 12 [0027.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0x9b2e70, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhost.exe", lpUsedDefaultChar=0x0) returned 12 [0027.374] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0027.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2eb8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2eb8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.375] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x610, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x350, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0027.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskeng.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskeng.exe", cchWideChar=11, lpMultiByteStr=0x9b2f00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskeng.exe", lpUsedDefaultChar=0x0) returned 11 [0027.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskeng.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskeng.exe", cchWideChar=11, lpMultiByteStr=0x9b2f00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskeng.exe", lpUsedDefaultChar=0x0) returned 11 [0027.375] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d4, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0027.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0x9b2f48, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhost.exe", lpUsedDefaultChar=0x0) returned 12 [0027.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0x9b2f48, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhost.exe", lpUsedDefaultChar=0x0) returned 12 [0027.376] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="connectionsdecade.exe")) returned 1 [0027.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connectionsdecade.exe", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0027.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connectionsdecade.exe", cchWideChar=21, lpMultiByteStr=0x9b2f90, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="connectionsdecade.exe", lpUsedDefaultChar=0x0) returned 21 [0027.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connectionsdecade.exe", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0027.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connectionsdecade.exe", cchWideChar=21, lpMultiByteStr=0x9b2f90, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="connectionsdecade.exe", lpUsedDefaultChar=0x0) returned 21 [0027.377] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum fs.exe")) returned 1 [0027.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spectrum fs.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spectrum fs.exe", cchWideChar=15, lpMultiByteStr=0x9b2fd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spectrum fs.exe", lpUsedDefaultChar=0x0) returned 15 [0027.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spectrum fs.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spectrum fs.exe", cchWideChar=15, lpMultiByteStr=0x9b2fd8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spectrum fs.exe", lpUsedDefaultChar=0x0) returned 15 [0027.377] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="amounts_under.exe")) returned 1 [0027.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amounts_under.exe", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0027.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amounts_under.exe", cchWideChar=17, lpMultiByteStr=0x9b3020, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="amounts_under.exe", lpUsedDefaultChar=0x0) returned 17 [0027.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amounts_under.exe", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0027.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amounts_under.exe", cchWideChar=17, lpMultiByteStr=0x9b3020, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="amounts_under.exe", lpUsedDefaultChar=0x0) returned 17 [0027.378] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="emergency_limitation.exe")) returned 1 [0027.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="emergency_limitation.exe", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0027.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="emergency_limitation.exe", cchWideChar=24, lpMultiByteStr=0x9b3068, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="emergency_limitation.exe", lpUsedDefaultChar=0x0) returned 24 [0027.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="emergency_limitation.exe", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0027.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="emergency_limitation.exe", cchWideChar=24, lpMultiByteStr=0x9b3068, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="emergency_limitation.exe", lpUsedDefaultChar=0x0) returned 24 [0027.378] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="partnerships.exe")) returned 1 [0027.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="partnerships.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="partnerships.exe", cchWideChar=16, lpMultiByteStr=0x9b30b0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="partnerships.exe", lpUsedDefaultChar=0x0) returned 16 [0027.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="partnerships.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="partnerships.exe", cchWideChar=16, lpMultiByteStr=0x9b30b0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="partnerships.exe", lpUsedDefaultChar=0x0) returned 16 [0027.379] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="fit.exe")) returned 1 [0027.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fit.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fit.exe", cchWideChar=7, lpMultiByteStr=0x9b30f8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fit.exe", lpUsedDefaultChar=0x0) returned 7 [0027.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fit.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fit.exe", cchWideChar=7, lpMultiByteStr=0x9b30f8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fit.exe", lpUsedDefaultChar=0x0) returned 7 [0027.379] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="ob reid.exe")) returned 1 [0027.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ob reid.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ob reid.exe", cchWideChar=11, lpMultiByteStr=0x9b3140, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ob reid.exe", lpUsedDefaultChar=0x0) returned 11 [0027.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ob reid.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ob reid.exe", cchWideChar=11, lpMultiByteStr=0x9b3140, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ob reid.exe", lpUsedDefaultChar=0x0) returned 11 [0027.380] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="antonio_done_cultures.exe")) returned 1 [0027.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="antonio_done_cultures.exe", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0027.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="antonio_done_cultures.exe", cchWideChar=25, lpMultiByteStr=0x9b3188, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="antonio_done_cultures.exe", lpUsedDefaultChar=0x0) returned 25 [0027.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="antonio_done_cultures.exe", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0027.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="antonio_done_cultures.exe", cchWideChar=25, lpMultiByteStr=0x9b3188, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="antonio_done_cultures.exe", lpUsedDefaultChar=0x0) returned 25 [0027.381] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="norfolk_trance_directive.exe")) returned 1 [0027.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="norfolk_trance_directive.exe", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0027.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="norfolk_trance_directive.exe", cchWideChar=28, lpMultiByteStr=0x9b31d0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="norfolk_trance_directive.exe", lpUsedDefaultChar=0x0) returned 28 [0027.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="norfolk_trance_directive.exe", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0027.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="norfolk_trance_directive.exe", cchWideChar=28, lpMultiByteStr=0x9b31d0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="norfolk_trance_directive.exe", lpUsedDefaultChar=0x0) returned 28 [0027.381] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="cheese-further-reads.exe")) returned 1 [0027.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cheese-further-reads.exe", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0027.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cheese-further-reads.exe", cchWideChar=24, lpMultiByteStr=0x9b3218, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cheese-further-reads.exe", lpUsedDefaultChar=0x0) returned 24 [0027.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cheese-further-reads.exe", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0027.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cheese-further-reads.exe", cchWideChar=24, lpMultiByteStr=0x9b3218, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cheese-further-reads.exe", lpUsedDefaultChar=0x0) returned 24 [0027.382] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="walking.exe")) returned 1 [0027.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="walking.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="walking.exe", cchWideChar=11, lpMultiByteStr=0x9b3260, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="walking.exe", lpUsedDefaultChar=0x0) returned 11 [0027.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="walking.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="walking.exe", cchWideChar=11, lpMultiByteStr=0x9b3260, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="walking.exe", lpUsedDefaultChar=0x0) returned 11 [0027.382] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="happiness.exe")) returned 1 [0027.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="happiness.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0027.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="happiness.exe", cchWideChar=13, lpMultiByteStr=0x9b32a8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="happiness.exe", lpUsedDefaultChar=0x0) returned 13 [0027.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="happiness.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0027.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="happiness.exe", cchWideChar=13, lpMultiByteStr=0x9b32a8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="happiness.exe", lpUsedDefaultChar=0x0) returned 13 [0027.383] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="clubs_mobility_dive.exe")) returned 1 [0027.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clubs_mobility_dive.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0027.384] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clubs_mobility_dive.exe", cchWideChar=23, lpMultiByteStr=0x9b32f0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clubs_mobility_dive.exe", lpUsedDefaultChar=0x0) returned 23 [0027.384] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clubs_mobility_dive.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0027.384] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clubs_mobility_dive.exe", cchWideChar=23, lpMultiByteStr=0x9b32f0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clubs_mobility_dive.exe", lpUsedDefaultChar=0x0) returned 23 [0027.384] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="completing.exe")) returned 1 [0027.384] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="completing.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.384] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="completing.exe", cchWideChar=14, lpMultiByteStr=0x9b3338, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="completing.exe", lpUsedDefaultChar=0x0) returned 14 [0027.384] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="completing.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.384] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="completing.exe", cchWideChar=14, lpMultiByteStr=0x9b3338, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="completing.exe", lpUsedDefaultChar=0x0) returned 14 [0027.384] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="polished expressed.exe")) returned 1 [0027.385] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="polished expressed.exe", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0027.385] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="polished expressed.exe", cchWideChar=22, lpMultiByteStr=0x9b3380, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="polished expressed.exe", lpUsedDefaultChar=0x0) returned 22 [0027.385] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="polished expressed.exe", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0027.385] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="polished expressed.exe", cchWideChar=22, lpMultiByteStr=0x9b3380, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="polished expressed.exe", lpUsedDefaultChar=0x0) returned 22 [0027.385] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="need result.exe")) returned 1 [0027.385] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="need result.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.385] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="need result.exe", cchWideChar=15, lpMultiByteStr=0x9b33c8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="need result.exe", lpUsedDefaultChar=0x0) returned 15 [0027.386] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="need result.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.386] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="need result.exe", cchWideChar=15, lpMultiByteStr=0x9b33c8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="need result.exe", lpUsedDefaultChar=0x0) returned 15 [0027.386] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="spring.exe")) returned 1 [0027.386] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spring.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.386] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spring.exe", cchWideChar=10, lpMultiByteStr=0x9b3410, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spring.exe", lpUsedDefaultChar=0x0) returned 10 [0027.386] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spring.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.386] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spring.exe", cchWideChar=10, lpMultiByteStr=0x9b3410, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spring.exe", lpUsedDefaultChar=0x0) returned 10 [0027.386] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="marvel.exe")) returned 1 [0027.387] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="marvel.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.387] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="marvel.exe", cchWideChar=10, lpMultiByteStr=0x9b3458, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="marvel.exe", lpUsedDefaultChar=0x0) returned 10 [0027.387] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="marvel.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.387] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="marvel.exe", cchWideChar=10, lpMultiByteStr=0x9b3458, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="marvel.exe", lpUsedDefaultChar=0x0) returned 10 [0027.387] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x624, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="clicks plc.exe")) returned 1 [0027.387] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clicks plc.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.387] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clicks plc.exe", cchWideChar=14, lpMultiByteStr=0x9b34a0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clicks plc.exe", lpUsedDefaultChar=0x0) returned 14 [0027.387] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clicks plc.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.387] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clicks plc.exe", cchWideChar=14, lpMultiByteStr=0x9b34a0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clicks plc.exe", lpUsedDefaultChar=0x0) returned 14 [0027.387] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="inter-angle.exe")) returned 1 [0027.388] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="inter-angle.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.388] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="inter-angle.exe", cchWideChar=15, lpMultiByteStr=0x9b34e8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="inter-angle.exe", lpUsedDefaultChar=0x0) returned 15 [0027.388] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="inter-angle.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.388] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="inter-angle.exe", cchWideChar=15, lpMultiByteStr=0x9b34e8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="inter-angle.exe", lpUsedDefaultChar=0x0) returned 15 [0027.388] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="admit cellular.exe")) returned 1 [0027.388] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="admit cellular.exe", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0027.388] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="admit cellular.exe", cchWideChar=18, lpMultiByteStr=0xb7c9c0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="admit cellular.exe", lpUsedDefaultChar=0x0) returned 18 [0027.389] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="admit cellular.exe", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0027.389] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="admit cellular.exe", cchWideChar=18, lpMultiByteStr=0xb7c9c0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="admit cellular.exe", lpUsedDefaultChar=0x0) returned 18 [0027.389] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="contractor.exe")) returned 1 [0027.389] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="contractor.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.389] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="contractor.exe", cchWideChar=14, lpMultiByteStr=0xb7c9c0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="contractor.exe", lpUsedDefaultChar=0x0) returned 14 [0027.389] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="contractor.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.389] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="contractor.exe", cchWideChar=14, lpMultiByteStr=0x9b9040, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="contractor.exe", lpUsedDefaultChar=0x0) returned 14 [0027.389] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="theta.exe")) returned 1 [0027.390] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="theta.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.390] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="theta.exe", cchWideChar=9, lpMultiByteStr=0x9b9040, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="theta.exe", lpUsedDefaultChar=0x0) returned 9 [0027.390] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="theta.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.390] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="theta.exe", cchWideChar=9, lpMultiByteStr=0x9b9088, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="theta.exe", lpUsedDefaultChar=0x0) returned 9 [0027.390] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x93c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MOV7TW~1:bin")) returned 1 [0027.390] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mov7tw~1:bin", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.390] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mov7tw~1:bin", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mov7tw~1:bin", lpUsedDefaultChar=0x0) returned 12 [0027.390] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MOV7TW~1:bin", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.390] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MOV7TW~1:bin", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MOV7TW~1:bin", lpUsedDefaultChar=0x0) returned 12 [0027.390] Process32NextW (in: hSnapshot=0x14c, lppe=0x2af0f8 | out: lppe=0x2af0f8*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x93c, pcPriClassBase=8, dwFlags=0x0, szExeFile="MOV7TW~1:bin")) returned 0 [0027.391] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x400, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x4, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x0) returned 0xc0000022 [0027.391] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x1000, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x4, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x150) returned 0x0 [0027.391] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.391] FindFirstFileExW (in: lpFileName="C:\\Windows\\SysWOW64\\*.dll", fInfoLevelId=0x1, lpFindFileData=0x2aedfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aedfc) returned 0x4222a0 [0027.391] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AACLIENT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.391] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AACLIENT.DLL", cchWideChar=12, lpMultiByteStr=0x9b9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AACLIENT.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.391] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCESSIBILITYCPL.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0027.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCESSIBILITYCPL.DLL", cchWideChar=20, lpMultiByteStr=0x9b90d0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCESSIBILITYCPL.DLL", lpUsedDefaultChar=0x0) returned 20 [0027.392] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCTRES.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCTRES.DLL", cchWideChar=11, lpMultiByteStr=0x9b9118, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCTRES.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.392] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLEDIT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLEDIT.DLL", cchWideChar=11, lpMultiByteStr=0x9b90d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACLEDIT.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.392] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLUI.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLUI.DLL", cchWideChar=9, lpMultiByteStr=0x9b9118, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACLUI.DLL", lpUsedDefaultChar=0x0) returned 9 [0027.392] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACPPAGE.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACPPAGE.DLL", cchWideChar=11, lpMultiByteStr=0x9b90d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACPPAGE.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.392] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTER.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTER.DLL", cchWideChar=16, lpMultiByteStr=0x9b9118, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIONCENTER.DLL", lpUsedDefaultChar=0x0) returned 16 [0027.392] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTERCPL.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0027.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTERCPL.DLL", cchWideChar=19, lpMultiByteStr=0x9b90d0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIONCENTERCPL.DLL", lpUsedDefaultChar=0x0) returned 19 [0027.392] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIVEDS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIVEDS.DLL", cchWideChar=12, lpMultiByteStr=0x9b9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIVEDS.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.392] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTXPRXY.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTXPRXY.DLL", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTXPRXY.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.393] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMPARSE.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMPARSE.DLL", cchWideChar=12, lpMultiByteStr=0x9b9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADMPARSE.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.393] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMTMPL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMTMPL.DLL", cchWideChar=11, lpMultiByteStr=0x9b90d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADMTMPL.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.393] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADPROVIDER.DLL", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0027.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADPROVIDER.DLL", cchWideChar=14, lpMultiByteStr=0x9b9118, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 14 [0027.393] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDP.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDP.DLL", cchWideChar=10, lpMultiByteStr=0x9b90d0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSLDP.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.393] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDPC.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDPC.DLL", cchWideChar=11, lpMultiByteStr=0x9b9118, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSLDPC.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.393] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSMSEXT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSMSEXT.DLL", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSMSEXT.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.393] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSNT.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSNT.DLL", cchWideChar=9, lpMultiByteStr=0x9b9118, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSNT.DLL", lpUsedDefaultChar=0x0) returned 9 [0027.393] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADTSCHEMA.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0027.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADTSCHEMA.DLL", cchWideChar=13, lpMultiByteStr=0x9b90d0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADTSCHEMA.DLL", lpUsedDefaultChar=0x0) returned 13 [0027.393] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVAPI32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVAPI32.DLL", cchWideChar=12, lpMultiByteStr=0x9b9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADVAPI32.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.394] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVPACK.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVPACK.DLL", cchWideChar=11, lpMultiByteStr=0x9b90d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADVPACK.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.394] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AECACHE.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AECACHE.DLL", cchWideChar=11, lpMultiByteStr=0x9b9118, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AECACHE.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.394] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AEEVTS.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AEEVTS.DLL", cchWideChar=10, lpMultiByteStr=0x9b90d0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AEEVTS.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.394] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALTTAB.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALTTAB.DLL", cchWideChar=10, lpMultiByteStr=0x9b9118, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALTTAB.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.394] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMSTREAM.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMSTREAM.DLL", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AMSTREAM.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.394] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMXREAD.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMXREAD.DLL", cchWideChar=11, lpMultiByteStr=0x9b9118, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AMXREAD.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.394] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APDS.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APDS.DLL", cchWideChar=8, lpMultiByteStr=0x9b90d0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APDS.DLL", lpUsedDefaultChar=0x0) returned 8 [0027.394] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-CONSOLE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-CONSOLE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x9b9118, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-CONSOLE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0027.394] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DATETIME-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DATETIME-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x9b90d0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-DATETIME-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0027.394] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DEBUG-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0027.394] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DEBUG-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x9b9118, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-DEBUG-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0027.395] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DELAYLOAD-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DELAYLOAD-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x9b90d0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-DELAYLOAD-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0027.395] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x9b9118, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0027.395] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FIBERS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FIBERS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x9b90d0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FIBERS-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.395] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x9b9118, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FILE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0027.395] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-2-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-2-0.DLL", cchWideChar=31, lpMultiByteStr=0x9b90d0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FILE-L1-2-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0027.395] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L2-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L2-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x9b9118, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FILE-L2-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0027.395] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HANDLE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HANDLE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x9b90d0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-HANDLE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.395] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HEAP-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HEAP-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x9b9118, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-HEAP-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0027.395] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-INTERLOCKED-L1-1-0.DLL", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-INTERLOCKED-L1-1-0.DLL", cchWideChar=38, lpMultiByteStr=0x9b90d0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-INTERLOCKED-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 38 [0027.395] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-IO-L1-1-0.DLL", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-IO-L1-1-0.DLL", cchWideChar=29, lpMultiByteStr=0x9b9118, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-IO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 29 [0027.395] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0027.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x9b90d0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0027.396] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0x9b9118, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LOCALIZATION-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 39 [0027.396] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-2-0.DLL", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-2-0.DLL", cchWideChar=39, lpMultiByteStr=0x9b90d0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LOCALIZATION-L1-2-0.DLL", lpUsedDefaultChar=0x0) returned 39 [0027.396] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALREGISTRY-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALREGISTRY-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x9b9118, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LOCALREGISTRY-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0027.396] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MEMORY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MEMORY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x9b90d0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-MEMORY-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.396] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MISC-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MISC-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x9b9118, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-MISC-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0027.396] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-NAMEDPIPE-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-NAMEDPIPE-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x9b90d0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-NAMEDPIPE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0027.396] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0.DLL", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0.DLL", cchWideChar=45, lpMultiByteStr=0x9b9118, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 45 [0027.396] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL", cchWideChar=41, lpMultiByteStr=0x9b90d0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 41 [0027.396] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1.DLL", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1.DLL", cchWideChar=41, lpMultiByteStr=0x9b9118, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1.DLL", lpUsedDefaultChar=0x0) returned 41 [0027.396] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROFILE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROFILE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x9b90d0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROFILE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0027.396] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-RTLSUPPORT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0027.396] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-RTLSUPPORT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x9b9118, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-RTLSUPPORT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 37 [0027.397] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-STRING-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-STRING-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x9b90d0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-STRING-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.397] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x9b9118, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-SYNCH-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0027.397] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-2-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-2-0.DLL", cchWideChar=32, lpMultiByteStr=0x9b90d0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-SYNCH-L1-2-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0027.397] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYSINFO-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYSINFO-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x9b9118, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-SYSINFO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0027.397] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-THREADPOOL-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-THREADPOOL-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x9b90d0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-THREADPOOL-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 37 [0027.397] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-TIMEZONE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-TIMEZONE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x9b9118, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-TIMEZONE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0027.397] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-UTIL-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-UTIL-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x9b90d0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-UTIL-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0027.397] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x9b9118, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-XSTATE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.397] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L2-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L2-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x9b90d0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-XSTATE-L2-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.397] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x9b9118, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-CONIO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0027.397] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONVERT-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.397] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONVERT-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x9b90d0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-CONVERT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.397] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-ENVIRONMENT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-ENVIRONMENT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x9b9118, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-ENVIRONMENT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 37 [0027.398] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-FILESYSTEM-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-FILESYSTEM-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x9b90d0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-FILESYSTEM-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0027.398] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-HEAP-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-HEAP-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x9b9118, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-HEAP-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 30 [0027.398] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-LOCALE-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-LOCALE-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x9b90d0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-LOCALE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0027.398] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MATH-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MATH-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x9b9118, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-MATH-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 30 [0027.398] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MULTIBYTE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MULTIBYTE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x9b90d0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-MULTIBYTE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0027.398] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PRIVATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PRIVATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x9b9118, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-PRIVATE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.398] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PROCESS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PROCESS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x9b90d0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-PROCESS-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.398] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x9b9118, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.398] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STDIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STDIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x9b90d0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-STDIO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0027.398] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STRING-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STRING-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x9b9118, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-STRING-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0027.398] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-TIME-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-TIME-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x9b90d0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-TIME-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 30 [0027.399] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-UTILITY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-UTILITY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x9b9118, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-UTILITY-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0027.399] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-EVENTING-PROVIDER-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-EVENTING-PROVIDER-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0x9b90d0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-EVENTING-PROVIDER-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 39 [0027.399] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-BASE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-BASE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x9b9118, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SECURITY-BASE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0027.399] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x9b90d0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0027.399] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x9b9118, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0027.399] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-CORE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-CORE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x9b90d0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-CORE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0027.399] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x9b9118, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0027.399] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x9b90d0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0027.399] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x9b9118, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0027.399] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APILOGEN.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APILOGEN.DLL", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APILOGEN.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.399] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.399] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APIRCL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APIRCL.DLL", cchWideChar=10, lpMultiByteStr=0x9b9118, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APIRCL.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.400] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APISETSCHEMA.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APISETSCHEMA.DLL", cchWideChar=16, lpMultiByteStr=0x9b90d0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APISETSCHEMA.DLL", lpUsedDefaultChar=0x0) returned 16 [0027.400] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHELP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHELP.DLL", cchWideChar=11, lpMultiByteStr=0x9b9118, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPHELP.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.400] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHLPDM.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHLPDM.DLL", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPHLPDM.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.400] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDAPI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDAPI.DLL", cchWideChar=12, lpMultiByteStr=0x9b9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPIDAPI.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.400] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDPOLICYENGINEAPI.DLL", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDPOLICYENGINEAPI.DLL", cchWideChar=24, lpMultiByteStr=0x9b90d0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPIDPOLICYENGINEAPI.DLL", lpUsedDefaultChar=0x0) returned 24 [0027.400] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGMTS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGMTS.DLL", cchWideChar=12, lpMultiByteStr=0x9b9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPMGMTS.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.400] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGR.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGR.DLL", cchWideChar=10, lpMultiByteStr=0x9b90d0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPMGR.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.400] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APSS.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APSS.DLL", cchWideChar=8, lpMultiByteStr=0x9b9118, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APSS.DLL", lpUsedDefaultChar=0x0) returned 8 [0027.400] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASFERROR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASFERROR.DLL", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASFERROR.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.400] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASPNET_COUNTERS.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASPNET_COUNTERS.DLL", cchWideChar=19, lpMultiByteStr=0x9b9118, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASPNET_COUNTERS.DLL", lpUsedDefaultChar=0x0) returned 19 [0027.400] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASYCFILT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASYCFILT.DLL", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASYCFILT.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.401] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL.DLL", cchWideChar=7, lpMultiByteStr=0x9b9118, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATL.DLL", lpUsedDefaultChar=0x0) returned 7 [0027.401] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL100.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL100.DLL", cchWideChar=10, lpMultiByteStr=0x9b90d0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATL100.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.401] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL110.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL110.DLL", cchWideChar=10, lpMultiByteStr=0x9b9118, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATL110.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.401] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMFD.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMFD.DLL", cchWideChar=9, lpMultiByteStr=0x9b90d0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATMFD.DLL", lpUsedDefaultChar=0x0) returned 9 [0027.401] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMLIB.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMLIB.DLL", cchWideChar=10, lpMultiByteStr=0x9b9118, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATMLIB.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.401] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIODEV.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIODEV.DLL", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIODEV.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.401] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOENG.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOENG.DLL", cchWideChar=12, lpMultiByteStr=0x9b9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIOENG.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.401] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOKSE.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOKSE.DLL", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIOKSE.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.401] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOSES.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOSES.DLL", cchWideChar=12, lpMultiByteStr=0x9b9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIOSES.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.401] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITNATIVESNAPIN.DLL", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITNATIVESNAPIN.DLL", cchWideChar=21, lpMultiByteStr=0x9b90d0, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDITNATIVESNAPIN.DLL", lpUsedDefaultChar=0x0) returned 21 [0027.401] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLICYGPINTEROP.DLL", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLICYGPINTEROP.DLL", cchWideChar=24, lpMultiByteStr=0x9b9118, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDITPOLICYGPINTEROP.DLL", lpUsedDefaultChar=0x0) returned 24 [0027.402] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLMSG.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLMSG.DLL", cchWideChar=15, lpMultiByteStr=0x9b90d0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDITPOLMSG.DLL", lpUsedDefaultChar=0x0) returned 15 [0027.402] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWCFG.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWCFG.DLL", cchWideChar=13, lpMultiByteStr=0x9b9118, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWCFG.DLL", lpUsedDefaultChar=0x0) returned 13 [0027.402] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWGP.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWGP.DLL", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWGP.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.402] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWSNAPIN.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWSNAPIN.DLL", cchWideChar=16, lpMultiByteStr=0x9b9118, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWSNAPIN.DLL", lpUsedDefaultChar=0x0) returned 16 [0027.402] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWWIZFWK.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWWIZFWK.DLL", cchWideChar=16, lpMultiByteStr=0x9b90d0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWWIZFWK.DLL", lpUsedDefaultChar=0x0) returned 16 [0027.402] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHUI.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHUI.DLL", cchWideChar=10, lpMultiByteStr=0x9b9118, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHUI.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.402] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHZ.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHZ.DLL", cchWideChar=9, lpMultiByteStr=0x9b90d0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHZ.DLL", lpUsedDefaultChar=0x0) returned 9 [0027.402] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTOPLAY.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTOPLAY.DLL", cchWideChar=12, lpMultiByteStr=0x9b9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTOPLAY.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.402] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYAPI.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYAPI.DLL", cchWideChar=23, lpMultiByteStr=0x9b90d0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUXILIARYDISPLAYAPI.DLL", lpUsedDefaultChar=0x0) returned 23 [0027.402] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYCPL.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYCPL.DLL", cchWideChar=23, lpMultiByteStr=0x9b9118, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUXILIARYDISPLAYCPL.DLL", lpUsedDefaultChar=0x0) returned 23 [0027.402] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVICAP32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVICAP32.DLL", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AVICAP32.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.403] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVIFIL32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVIFIL32.DLL", cchWideChar=12, lpMultiByteStr=0x9b9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AVIFIL32.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.403] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVRT.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVRT.DLL", cchWideChar=8, lpMultiByteStr=0x9b90d0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AVRT.DLL", lpUsedDefaultChar=0x0) returned 8 [0027.403] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLES.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLES.DLL", cchWideChar=11, lpMultiByteStr=0x9b9118, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AZROLES.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.403] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLEUI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLEUI.DLL", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AZROLEUI.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.403] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZSQLEXT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZSQLEXT.DLL", cchWideChar=12, lpMultiByteStr=0x9b9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AZSQLEXT.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.403] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BASECSP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BASECSP.DLL", cchWideChar=11, lpMultiByteStr=0x9b90d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASECSP.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.403] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BATMETER.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BATMETER.DLL", cchWideChar=12, lpMultiByteStr=0x9b9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BATMETER.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.403] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPT.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPT.DLL", cchWideChar=10, lpMultiByteStr=0x9b90d0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCRYPT.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.403] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPTPRIMITIVES.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPTPRIMITIVES.DLL", cchWideChar=20, lpMultiByteStr=0x9b9118, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCRYPTPRIMITIVES.DLL", lpUsedDefaultChar=0x0) returned 20 [0027.403] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIDISPL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIDISPL.DLL", cchWideChar=11, lpMultiByteStr=0x9b90d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIDISPL.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.403] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIOCREDPROV.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0027.403] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIOCREDPROV.DLL", cchWideChar=15, lpMultiByteStr=0x9b9118, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIOCREDPROV.DLL", lpUsedDefaultChar=0x0) returned 15 [0027.404] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPERF.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPERF.DLL", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPERF.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.404] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX2.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX2.DLL", cchWideChar=12, lpMultiByteStr=0x9b9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX2.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.404] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX3.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX3.DLL", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX3.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.404] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX4.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX4.DLL", cchWideChar=12, lpMultiByteStr=0x9b9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX4.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.404] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX5.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX5.DLL", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX5.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.404] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX6.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX6.DLL", cchWideChar=12, lpMultiByteStr=0x9b9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX6.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.404] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BLACKBOX.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BLACKBOX.DLL", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLACKBOX.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.404] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BOOTVID.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BOOTVID.DLL", cchWideChar=11, lpMultiByteStr=0x9b9118, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BOOTVID.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.404] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWCLI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWCLI.DLL", cchWideChar=11, lpMultiByteStr=0x9b90d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BROWCLI.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.404] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWSEUI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWSEUI.DLL", cchWideChar=12, lpMultiByteStr=0x9b9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BROWSEUI.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.404] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BTPANUI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BTPANUI.DLL", cchWideChar=11, lpMultiByteStr=0x9b90d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BTPANUI.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.404] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWCONTEXTHANDLER.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWCONTEXTHANDLER.DLL", cchWideChar=20, lpMultiByteStr=0x9b9118, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BWCONTEXTHANDLER.DLL", lpUsedDefaultChar=0x0) returned 20 [0027.405] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWUNPAIRELEVATED.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWUNPAIRELEVATED.DLL", cchWideChar=20, lpMultiByteStr=0x9b90d0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BWUNPAIRELEVATED.DLL", lpUsedDefaultChar=0x0) returned 20 [0027.405] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABINET.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABINET.DLL", cchWideChar=11, lpMultiByteStr=0x9b9118, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABINET.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.405] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABVIEW.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABVIEW.DLL", cchWideChar=11, lpMultiByteStr=0x9b90d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABVIEW.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.405] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPIPROVIDER.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPIPROVIDER.DLL", cchWideChar=16, lpMultiByteStr=0x9b9118, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAPIPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 16 [0027.405] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPISP.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPISP.DLL", cchWideChar=10, lpMultiByteStr=0x9b90d0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAPISP.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.405] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRV.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRV.DLL", cchWideChar=10, lpMultiByteStr=0x9b9118, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATSRV.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.405] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRVPS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRVPS.DLL", cchWideChar=12, lpMultiByteStr=0x9b90d0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATSRVPS.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.405] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRVUT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRVUT.DLL", cchWideChar=12, lpMultiByteStr=0x9b9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATSRVUT.DLL", lpUsedDefaultChar=0x0) returned 12 [0027.405] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CCA.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CCA.DLL", cchWideChar=7, lpMultiByteStr=0x9b90d0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CCA.DLL", lpUsedDefaultChar=0x0) returned 7 [0027.405] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CDOSYS.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CDOSYS.DLL", cchWideChar=10, lpMultiByteStr=0x9b9118, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CDOSYS.DLL", lpUsedDefaultChar=0x0) returned 10 [0027.405] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTCLI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.405] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTCLI.DLL", cchWideChar=11, lpMultiByteStr=0x9b90d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTCLI.DLL", lpUsedDefaultChar=0x0) returned 11 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTCREDPROVIDER.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0027.406] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTCREDPROVIDER.DLL", cchWideChar=20, lpMultiByteStr=0x9b9118, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTCREDPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 20 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.406] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.407] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.408] FindNextFileW (in: hFindFile=0x4222a0, lpFindFileData=0x2aedfc | out: lpFindFileData=0x2aedfc) returned 1 [0027.447] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="psapi.dll", BaseAddress=0x2af070 | out: BaseAddress=0x2af070*=0x77a10000) returned 0x0 [0027.470] FindClose (in: hFindFile=0x4222a0 | out: hFindFile=0x4222a0) returned 1 [0027.470] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="") returned 0x0 [0027.471] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.471] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.471] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.471] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.471] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x0) returned 0 [0027.471] NtClose (Handle=0x150) returned 0x0 [0027.471] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x400, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x104, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x0) returned 0xc0000022 [0027.471] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x1000, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x104, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x150) returned 0x0 [0027.471] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.471] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\smss.exe") returned 0x31 [0027.471] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.471] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.471] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.471] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.471] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.471] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.471] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.471] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0x9b9121 [0027.471] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0x9b9128 [0027.471] NtClose (Handle=0x154) returned 0x0 [0027.471] NtClose (Handle=0x150) returned 0x0 [0027.471] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x400, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x178, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x0) returned 0xc0000022 [0027.471] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x1000, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x178, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x150) returned 0x0 [0027.472] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.472] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\wininit.exe") returned 0x34 [0027.472] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.472] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.472] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.472] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.472] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.472] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.472] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.472] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0x9b9121 [0027.472] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0x9b9128 [0027.472] NtClose (Handle=0x154) returned 0x0 [0027.472] NtClose (Handle=0x150) returned 0x0 [0027.472] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x400, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x1d4, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x0) returned 0xc0000022 [0027.472] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x1000, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x1d4, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x150) returned 0x0 [0027.472] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.472] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\services.exe") returned 0x35 [0027.472] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.472] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.472] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.472] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.472] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.472] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.472] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.472] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0x9b9121 [0027.472] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0x9b9128 [0027.473] NtClose (Handle=0x154) returned 0x0 [0027.473] NtClose (Handle=0x150) returned 0x0 [0027.473] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x400, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x1dc, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x0) returned 0xc0000022 [0027.473] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x1000, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x1dc, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x150) returned 0x0 [0027.473] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.473] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\lsass.exe") returned 0x32 [0027.473] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.473] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.473] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.473] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.473] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.473] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.473] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.473] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0x9b9121 [0027.473] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0x9b9128 [0027.473] NtClose (Handle=0x154) returned 0x0 [0027.473] NtClose (Handle=0x150) returned 0x0 [0027.473] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x400, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x1e4, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x0) returned 0xc0000022 [0027.473] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x1000, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x1e4, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x150) returned 0x0 [0027.473] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.473] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\lsm.exe") returned 0x30 [0027.473] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.473] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.473] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.473] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.473] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.474] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.474] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.474] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0x9b9121 [0027.474] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0x9b9128 [0027.474] NtClose (Handle=0x154) returned 0x0 [0027.474] NtClose (Handle=0x150) returned 0x0 [0027.474] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x400, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x254, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x0) returned 0xc0000022 [0027.474] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x1000, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x254, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x150) returned 0x0 [0027.474] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.474] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0027.474] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.474] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.474] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.474] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.474] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.474] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.474] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.474] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0x9b9121 [0027.474] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0x9b9128 [0027.474] NtClose (Handle=0x154) returned 0x0 [0027.474] NtClose (Handle=0x150) returned 0x0 [0027.474] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x400, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x294, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x0) returned 0xc0000022 [0027.474] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x1000, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x294, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x150) returned 0x0 [0027.474] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.474] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0027.474] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.474] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.475] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.475] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.475] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.475] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.475] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.475] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0x9b9121 [0027.475] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0x9b9128 [0027.475] NtClose (Handle=0x154) returned 0x0 [0027.475] NtClose (Handle=0x150) returned 0x0 [0027.475] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x400, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x2c8, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x0) returned 0xc0000022 [0027.475] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x1000, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x2c8, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x150) returned 0x0 [0027.475] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.475] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0027.475] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.475] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.475] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.475] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.475] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.475] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.475] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.475] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0x9b9121 [0027.475] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0x9b9128 [0027.475] NtClose (Handle=0x154) returned 0x0 [0027.475] NtClose (Handle=0x150) returned 0x0 [0027.475] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x400, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x310, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x0) returned 0xc0000022 [0027.475] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x1000, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x310, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x150) returned 0x0 [0027.475] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.476] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0027.476] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.476] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.476] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.476] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.476] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.476] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.476] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.476] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0x9b9121 [0027.476] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0x9b9128 [0027.476] NtClose (Handle=0x154) returned 0x0 [0027.476] NtClose (Handle=0x150) returned 0x0 [0027.476] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x400, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x350, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x0) returned 0xc0000022 [0027.476] NtOpenProcess (in: ProcessHandle=0x2af060, DesiredAccess=0x1000, ObjectAttributes=0x2af06c*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x2af064*(UniqueProcess=0x350, UniqueThread=0x0) | out: ProcessHandle=0x2af060*=0x150) returned 0x0 [0027.476] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.476] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0027.476] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.476] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.476] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.476] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.476] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.476] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.476] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.476] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0x9b9121 [0027.476] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0x9b9128 [0027.477] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.477] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\audiodg.exe") returned 0x34 [0027.477] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.477] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.477] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.477] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.477] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.477] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.477] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.477] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0x9b9121 [0027.477] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0x9b9128 [0027.477] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.477] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0027.477] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.477] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.477] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.477] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.477] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.477] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.477] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.477] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0x9b9121 [0027.477] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0x9b9128 [0027.477] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.477] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0027.478] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.478] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.478] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.478] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.478] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.478] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.478] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.478] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0x9b9121 [0027.478] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0x9b9128 [0027.478] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.478] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\dwm.exe") returned 0x30 [0027.478] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.478] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.478] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.478] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.478] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.478] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.478] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.478] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.478] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.478] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.478] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\spoolsv.exe") returned 0x34 [0027.478] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.478] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.478] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.478] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.478] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.478] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.478] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.479] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0x9b9121 [0027.479] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0x9b9128 [0027.479] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.479] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\taskhost.exe") returned 0x35 [0027.479] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.479] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.479] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.479] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.479] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.479] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.479] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.479] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.479] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.479] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.479] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0027.479] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.479] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.479] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.479] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.479] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.479] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.479] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.479] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0x9b9121 [0027.479] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0x9b9128 [0027.479] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.480] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\taskeng.exe") returned 0x34 [0027.480] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.480] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.480] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.480] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.480] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.480] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.480] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.480] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x9b9121 [0027.480] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x9b9128 [0027.480] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.480] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\explorer.exe") returned 0x2c [0027.480] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.480] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.480] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.480] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.480] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.480] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.480] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.480] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.480] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.480] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.480] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Microsoft Sync Framework\\connectionsdecade.exe") returned 0x54 [0027.480] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.480] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.480] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.480] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.480] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.480] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.481] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.481] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.481] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.481] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.481] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Reference Assemblies\\spectrum fs.exe") returned 0x50 [0027.481] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.481] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.481] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.481] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.481] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.481] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.481] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.481] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.481] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.481] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.481] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Common Files\\amounts_under.exe") returned 0x4a [0027.481] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.481] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.481] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.481] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.481] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.481] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.481] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.481] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.481] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.481] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.481] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Java\\emergency_limitation.exe") returned 0x49 [0027.482] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.482] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.482] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.482] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.482] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.482] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.482] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.482] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.482] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.482] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.482] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Windows Mail\\partnerships.exe") returned 0x49 [0027.482] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.482] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.482] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.482] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.482] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.482] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.482] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.482] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.482] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.482] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.482] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\MSBuild\\fit.exe") returned 0x3b [0027.482] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.482] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.482] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.482] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.482] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.482] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.482] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.483] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.483] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.483] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.483] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Windows Mail\\ob reid.exe") returned 0x44 [0027.483] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.483] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.483] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.483] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.483] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.483] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.483] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.483] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.483] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.483] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.483] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Internet Explorer\\antonio_done_cultures.exe") returned 0x51 [0027.483] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.483] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.483] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.483] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.483] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.483] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.483] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.483] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.483] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.483] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.483] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Java\\norfolk_trance_directive.exe") returned 0x4d [0027.483] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.484] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.484] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.484] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.484] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.484] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.484] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.484] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.484] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.484] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.484] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Uninstall Information\\cheese-further-reads.exe") returned 0x54 [0027.484] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.484] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.484] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.484] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.484] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.484] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.484] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.484] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.484] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.484] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.484] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Microsoft Analysis Services\\walking.exe") returned 0x4d [0027.484] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.484] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.484] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.484] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.484] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.484] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.484] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.484] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.484] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.485] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.485] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Windows Photo Viewer\\happiness.exe") returned 0x48 [0027.485] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.485] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.485] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.485] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.485] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.485] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.485] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.485] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.485] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.485] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.485] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Windows Media Player\\clubs_mobility_dive.exe") returned 0x58 [0027.485] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.485] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.485] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.485] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.485] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.485] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.485] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.485] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.485] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.485] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.485] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Mozilla Maintenance Service\\completing.exe") returned 0x56 [0027.485] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.485] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.485] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.485] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.486] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.486] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.486] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.486] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.486] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.486] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.486] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Windows Journal\\polished expressed.exe") returned 0x4c [0027.486] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.486] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.486] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.486] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.486] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.486] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.486] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.486] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.486] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.486] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.486] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Reference Assemblies\\need result.exe") returned 0x4a [0027.486] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.486] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.486] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.486] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.486] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.486] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.486] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.486] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.486] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.486] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.486] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Microsoft Sync Framework\\spring.exe") returned 0x49 [0027.487] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.487] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.487] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.487] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.487] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.487] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.487] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.487] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.487] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.487] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.487] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\MSBuild\\marvel.exe") returned 0x3e [0027.487] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.487] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.487] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.487] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.487] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.487] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.487] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.487] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.487] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.487] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.487] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Windows Media Player\\clicks plc.exe") returned 0x49 [0027.487] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.487] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.487] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.487] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.487] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.487] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.488] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.488] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.488] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.488] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.488] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\DVD Maker\\inter-angle.exe") returned 0x3f [0027.488] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.488] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.488] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.488] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.488] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.488] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.488] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.488] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.488] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.488] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.488] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Windows Portable Devices\\admit cellular.exe") returned 0x51 [0027.488] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.488] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.488] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.488] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.488] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.488] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.488] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.488] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.488] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.488] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.488] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft Analysis Services\\contractor.exe") returned 0x56 [0027.489] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.489] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.489] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.489] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.489] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.489] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.489] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.489] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.489] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.489] GetExitCodeProcess (in: hProcess=0x150, lpExitCode=0x2af088 | out: lpExitCode=0x2af088*=0x103) returned 1 [0027.489] GetProcessImageFileNameW (in: hProcess=0x150, lpImageFileName=0x9b6ce8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Microsoft Office\\theta.exe") returned 0x40 [0027.489] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2af070 | out: Wow64Process=0x2af070) returned 1 [0027.489] IsWow64Process (in: hProcess=0x150, Wow64Process=0x2af080 | out: Wow64Process=0x2af080) returned 1 [0027.489] NtQueryInformationProcess (in: ProcessHandle=0x150, ProcessInformationClass=0x18, ProcessInformation=0x2af07c, ProcessInformationLength=0x4, ReturnLength=0x2af080 | out: ProcessInformation=0x2af07c, ReturnLength=0x2af080) returned 0x0 [0027.489] GetProcessTimes (in: hProcess=0x150, lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c | out: lpCreationTime=0x2af0a4, lpExitTime=0x2af09c, lpKernelTime=0x2af09c, lpUserTime=0x2af09c) returned 1 [0027.489] OpenProcessToken (in: ProcessHandle=0x150, DesiredAccess=0x8, TokenHandle=0x2af06c | out: TokenHandle=0x2af06c*=0x154) returned 1 [0027.489] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2af068 | out: TokenInformation=0x0, ReturnLength=0x2af068) returned 0 [0027.489] GetTokenInformation (in: TokenHandle=0x154, TokenInformationClass=0x19, TokenInformation=0x9b9118, TokenInformationLength=0x14, ReturnLength=0x2af068 | out: TokenInformation=0x9b9118, ReturnLength=0x2af068) returned 1 [0027.489] GetSidSubAuthorityCount (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x9b9121 [0027.489] GetSidSubAuthority (pSid=0x9b9120*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x9b9128 [0027.489] GetSystemDirectoryW (in: lpBuffer=0x9bb2d0, uSize=0x40 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0027.489] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\vssadmin.exe", lpCommandLine="C:\\Windows\\system32\\vssadmin.exe Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2af418*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af45c | out: lpCommandLine="C:\\Windows\\system32\\vssadmin.exe Delete Shadows /All /Quiet", lpProcessInformation=0x2af45c*(hProcess=0x150, hThread=0x14c, dwProcessId=0x968, dwThreadId=0x96c)) returned 1 [0027.501] NtClose (Handle=0x14c) returned 0x0 [0027.501] GetEnvironmentVariableW (in: lpName="TEMP", lpBuffer=0x9b3558, nSize=0x100 | out: lpBuffer="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 0x24 [0027.501] GetShortPathNameW (in: lpszLongPath="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp", lpszShortPath=0x9b6ce8, cchBuffer=0x100 | out: lpszShortPath="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp") returned 0x24 [0027.501] CryptAcquireContextW (in: phProv=0x2af400, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2af400*=0x422510) returned 1 [0027.502] CryptGenRandom (in: hProv=0x422510, dwLen=0x4, pbBuffer=0x2af414 | out: pbBuffer=0x2af414) returned 1 [0027.502] CryptReleaseContext (hProv=0x422510, dwFlags=0x0) returned 1 [0027.502] CryptAcquireContextW (in: phProv=0x2af3fc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2af3fc*=0x422510) returned 1 [0027.502] CryptGenRandom (in: hProv=0x422510, dwLen=0x4, pbBuffer=0x2af410 | out: pbBuffer=0x2af410) returned 1 [0027.502] CryptReleaseContext (hProv=0x422510, dwFlags=0x0) returned 1 [0027.502] CryptAcquireContextW (in: phProv=0x2af3fc, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2af3fc*=0x422510) returned 1 [0027.503] CryptGenRandom (in: hProv=0x422510, dwLen=0x4, pbBuffer=0x2af410 | out: pbBuffer=0x2af410) returned 1 [0027.503] CryptReleaseContext (hProv=0x422510, dwFlags=0x0) returned 1 [0027.503] GetTempFileNameW (in: lpPathName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp", lpPrefixString="y", uUnique=0x0, lpTempFileName=0x9b3558 | out: lpTempFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\y7148.tmp" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\y7148.tmp")) returned 0x7148 [0027.503] GetShortPathNameW (in: lpszLongPath="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\y7148.tmp", lpszShortPath=0x9b6ce8, cchBuffer=0x100 | out: lpszShortPath="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\y7148.tmp") returned 0x2e [0027.504] GetFileAttributesExW (in: lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\y7148.tmp" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\y7148.tmp"), fInfoLevelId=0x0, lpFileInformation=0x2af408 | out: lpFileInformation=0x2af408*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x276a0bb0, ftCreationTime.dwHighDateTime=0x1d4af0a, ftLastAccessTime.dwLowDateTime=0x276a0bb0, ftLastAccessTime.dwHighDateTime=0x1d4af0a, ftLastWriteTime.dwLowDateTime=0x276a0bb0, ftLastWriteTime.dwHighDateTime=0x1d4af0a, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0027.504] CreateFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\y7148.tmp" (normalized: "c:\\users\\5p5nrg~1\\appdata\\local\\temp\\y7148.tmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x5, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0027.504] SetFileTime (hFile=0x150, lpCreationTime=0x0, lpLastAccessTime=0x2af44c, lpLastWriteTime=0x2af44c) returned 1 [0027.504] WriteFile (in: hFile=0x150, lpBuffer=0x9b3068*, nNumberOfBytesToWrite=0x1a, lpNumberOfBytesWritten=0x2af478, lpOverlapped=0x0 | out: lpBuffer=0x9b3068*, lpNumberOfBytesWritten=0x2af478*=0x1a, lpOverlapped=0x0) returned 1 [0027.505] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\diskshadow.exe", lpCommandLine="C:\\Windows\\system32\\diskshadow.exe /s C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\y7148.tmp", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2af418*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af45c | out: lpCommandLine="C:\\Windows\\system32\\diskshadow.exe /s C:\\Users\\5P5NRG~1\\AppData\\Local\\Temp\\y7148.tmp", lpProcessInformation=0x2af45c*(hProcess=0x0, hThread=0x0, dwProcessId=0x0, dwThreadId=0x0)) returned 0 [0027.505] NtClose (Handle=0x0) returned 0xc0000008 [0027.505] GetFileAttributesExW (in: lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1:bin" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\mov7tw~1:bin"), fInfoLevelId=0x0, lpFileInformation=0x2af454 | out: lpFileInformation=0x2af454*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x256ca570, ftCreationTime.dwHighDateTime=0x1d4af0a, ftLastAccessTime.dwLowDateTime=0x256ca570, ftLastAccessTime.dwHighDateTime=0x1d4af0a, ftLastWriteTime.dwLowDateTime=0x256ca570, ftLastWriteTime.dwHighDateTime=0x1d4af0a, nFileSizeHigh=0x0, nFileSizeLow=0x20200)) returned 1 [0027.505] CreateFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1:bin" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\mov7tw~1:bin"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0027.505] SetFileTime (hFile=0x150, lpCreationTime=0x0, lpLastAccessTime=0x2af498, lpLastWriteTime=0x2af498) returned 0 [0027.505] GetFileSize (in: hFile=0x150, lpFileSizeHigh=0x2af484 | out: lpFileSizeHigh=0x2af484*=0x0) returned 0x20200 [0027.505] SetFilePointer (in: hFile=0x150, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af490*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x2af490*=0) returned 0x0 [0027.506] ReadFile (in: hFile=0x150, lpBuffer=0x9bcfa0, nNumberOfBytesToRead=0x20200, lpNumberOfBytesRead=0x2af4c4, lpOverlapped=0x0 | out: lpBuffer=0x9bcfa0*, lpNumberOfBytesRead=0x2af4c4*=0x20200, lpOverlapped=0x0) returned 1 [0027.508] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x421ba8 [0027.600] EnumServicesStatusExW (in: hSCManager=0x421ba8, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x3, lpServices=0x9fd3b0, cbBufSize=0x40000, pcbBytesNeeded=0x2af470, lpServicesReturned=0x2af460, lpResumeHandle=0x2af46c, pszGroupName=0x0 | out: lpServices=0x9fd3b0, pcbBytesNeeded=0x2af470, lpServicesReturned=0x2af460, lpResumeHandle=0x2af46c) returned 1 [0027.606] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="adobeflashplayerupdatesvc", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0027.606] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="adobeflashplayerupdatesvc", cchWideChar=25, lpMultiByteStr=0x9b3020, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="adobeflashplayerupdatesvc", lpUsedDefaultChar=0x0) returned 25 [0027.606] OpenServiceW (hSCManager=0x421ba8, lpServiceName="AdobeFlashPlayerUpdateSvc", dwDesiredAccess=0x1) returned 0x421c70 [0027.606] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.606] GetLastError () returned 0x7a [0027.606] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x146, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.606] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="flashplayerupdateservice.exe", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0027.607] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="flashplayerupdateservice.exe", cchWideChar=28, lpMultiByteStr=0x9b2fd8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="flashplayerupdateservice.exe", lpUsedDefaultChar=0x0) returned 28 [0027.607] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aelookupsvc", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.607] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aelookupsvc", cchWideChar=11, lpMultiByteStr=0x9b2f90, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aelookupsvc", lpUsedDefaultChar=0x0) returned 11 [0027.607] OpenServiceW (hSCManager=0x421ba8, lpServiceName="AeLookupSvc", dwDesiredAccess=0x1) returned 0x421d38 [0027.607] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0027.607] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.607] GetLastError () returned 0x7a [0027.607] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x106, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.608] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.608] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2ba0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.608] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.608] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg", cchWideChar=3, lpMultiByteStr=0x9b2ba0, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="alg", lpUsedDefaultChar=0x0) returned 3 [0027.608] OpenServiceW (hSCManager=0x421ba8, lpServiceName="ALG", dwDesiredAccess=0x1) returned 0x421c98 [0027.608] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0027.608] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.609] GetLastError () returned 0x7a [0027.609] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x11a, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.609] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.609] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg.exe", cchWideChar=7, lpMultiByteStr=0x9b2b10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="alg.exe", lpUsedDefaultChar=0x0) returned 7 [0027.609] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appidsvc", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.609] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appidsvc", cchWideChar=8, lpMultiByteStr=0x9b2b10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="appidsvc", lpUsedDefaultChar=0x0) returned 8 [0027.609] OpenServiceW (hSCManager=0x421ba8, lpServiceName="AppIDSvc", dwDesiredAccess=0x1) returned 0x421d88 [0027.609] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0027.609] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.609] GetLastError () returned 0x7a [0027.609] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x18e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.609] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.609] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2ac8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.610] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appinfo", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.610] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appinfo", cchWideChar=7, lpMultiByteStr=0x9b2ac8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="appinfo", lpUsedDefaultChar=0x0) returned 7 [0027.610] OpenServiceW (hSCManager=0x421ba8, lpServiceName="Appinfo", dwDesiredAccess=0x1) returned 0x421c70 [0027.610] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0027.610] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.610] GetLastError () returned 0x7a [0027.610] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x122, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.610] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.610] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2a80, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.610] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appmgmt", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.610] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appmgmt", cchWideChar=7, lpMultiByteStr=0x9b2a80, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="appmgmt", lpUsedDefaultChar=0x0) returned 7 [0027.610] OpenServiceW (hSCManager=0x421ba8, lpServiceName="AppMgmt", dwDesiredAccess=0x1) returned 0x421d38 [0027.610] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0027.611] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.611] GetLastError () returned 0x7a [0027.611] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x106, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.611] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.611] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2a38, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.611] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aspnet_state", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.611] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aspnet_state", cchWideChar=12, lpMultiByteStr=0x9b2a38, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aspnet_state", lpUsedDefaultChar=0x0) returned 12 [0027.611] OpenServiceW (hSCManager=0x421ba8, lpServiceName="aspnet_state", dwDesiredAccess=0x1) returned 0x421c98 [0027.611] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0027.611] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.612] GetLastError () returned 0x7a [0027.612] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x150, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.612] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aspnet_state.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.612] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aspnet_state.exe", cchWideChar=16, lpMultiByteStr=0x9b29f0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aspnet_state.exe", lpUsedDefaultChar=0x0) returned 16 [0027.612] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audioendpointbuilder", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0027.612] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audioendpointbuilder", cchWideChar=20, lpMultiByteStr=0x9b29f0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audioendpointbuilder", lpUsedDefaultChar=0x0) returned 20 [0027.612] OpenServiceW (hSCManager=0x421ba8, lpServiceName="AudioEndpointBuilder", dwDesiredAccess=0x1) returned 0x421d88 [0027.612] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0027.612] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.612] GetLastError () returned 0x7a [0027.612] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x164, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.612] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.612] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2960, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.613] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiosrv", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.613] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiosrv", cchWideChar=8, lpMultiByteStr=0x9b2960, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audiosrv", lpUsedDefaultChar=0x0) returned 8 [0027.613] OpenServiceW (hSCManager=0x421ba8, lpServiceName="AudioSrv", dwDesiredAccess=0x1) returned 0x421c70 [0027.613] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0027.613] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.613] GetLastError () returned 0x7a [0027.613] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x190, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.613] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.613] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b29a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.613] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="axinstsv", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.613] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="axinstsv", cchWideChar=8, lpMultiByteStr=0x9b29a8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="axinstsv", lpUsedDefaultChar=0x0) returned 8 [0027.613] OpenServiceW (hSCManager=0x421ba8, lpServiceName="AxInstSV", dwDesiredAccess=0x1) returned 0x421d38 [0027.613] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0027.614] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.614] GetLastError () returned 0x7a [0027.614] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x128, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.614] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.614] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b2888, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.614] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bdesvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0027.614] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bdesvc", cchWideChar=6, lpMultiByteStr=0x9b2888, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bdesvc", lpUsedDefaultChar=0x0) returned 6 [0027.614] OpenServiceW (hSCManager=0x421ba8, lpServiceName="BDESVC", dwDesiredAccess=0x1) returned 0x421c98 [0027.614] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0027.614] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.614] GetLastError () returned 0x7a [0027.614] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x11e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.615] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.615] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb7c9c0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.615] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bfe", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.615] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bfe", cchWideChar=3, lpMultiByteStr=0xb7c9c0, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bfe", lpUsedDefaultChar=0x0) returned 3 [0027.615] OpenServiceW (hSCManager=0x421ba8, lpServiceName="BFE", dwDesiredAccess=0x1) returned 0x421d88 [0027.615] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0027.615] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.615] GetLastError () returned 0x7a [0027.615] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x164, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.615] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.615] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb7c9c0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.615] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bits", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0027.615] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bits", cchWideChar=4, lpMultiByteStr=0x9b9040, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bits", lpUsedDefaultChar=0x0) returned 4 [0027.616] OpenServiceW (hSCManager=0x421ba8, lpServiceName="BITS", dwDesiredAccess=0x1) returned 0x421c70 [0027.616] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0027.616] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.616] GetLastError () returned 0x7a [0027.616] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x14a, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.616] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.616] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9040, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.616] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="browser", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.616] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="browser", cchWideChar=7, lpMultiByteStr=0x9b9088, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="browser", lpUsedDefaultChar=0x0) returned 7 [0027.616] OpenServiceW (hSCManager=0x421ba8, lpServiceName="Browser", dwDesiredAccess=0x1) returned 0x421d38 [0027.616] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0027.616] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.617] GetLastError () returned 0x7a [0027.617] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x154, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.617] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.617] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b90d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.617] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bthserv", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.617] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bthserv", cchWideChar=7, lpMultiByteStr=0x9b90d0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bthserv", lpUsedDefaultChar=0x0) returned 7 [0027.617] OpenServiceW (hSCManager=0x421ba8, lpServiceName="bthserv", dwDesiredAccess=0x1) returned 0x421c98 [0027.617] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0027.617] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.617] GetLastError () returned 0x7a [0027.617] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x132, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.617] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.618] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9118, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.618] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="certpropsvc", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.618] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="certpropsvc", cchWideChar=11, lpMultiByteStr=0x9b9118, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="certpropsvc", lpUsedDefaultChar=0x0) returned 11 [0027.618] OpenServiceW (hSCManager=0x421ba8, lpServiceName="CertPropSvc", dwDesiredAccess=0x1) returned 0x421d88 [0027.618] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0027.618] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.618] GetLastError () returned 0x7a [0027.618] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x112, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.618] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.618] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9160, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.618] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v2.0.50727_32", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0027.618] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v2.0.50727_32", cchWideChar=30, lpMultiByteStr=0x9b9160, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clr_optimization_v2.0.50727_32", lpUsedDefaultChar=0x0) returned 30 [0027.618] OpenServiceW (hSCManager=0x421ba8, lpServiceName="clr_optimization_v2.0.50727_32", dwDesiredAccess=0x1) returned 0x421c70 [0027.618] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0027.619] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.619] GetLastError () returned 0x7a [0027.619] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x152, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.619] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mscorsvw.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.619] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mscorsvw.exe", cchWideChar=12, lpMultiByteStr=0x9b91a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscorsvw.exe", lpUsedDefaultChar=0x0) returned 12 [0027.619] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v2.0.50727_64", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0027.619] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v2.0.50727_64", cchWideChar=30, lpMultiByteStr=0x9b9160, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clr_optimization_v2.0.50727_64", lpUsedDefaultChar=0x0) returned 30 [0027.619] OpenServiceW (hSCManager=0x421ba8, lpServiceName="clr_optimization_v2.0.50727_64", dwDesiredAccess=0x1) returned 0x421d38 [0027.619] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0027.619] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.620] GetLastError () returned 0x7a [0027.620] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x156, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.620] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mscorsvw.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.620] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mscorsvw.exe", cchWideChar=12, lpMultiByteStr=0x9b91a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscorsvw.exe", lpUsedDefaultChar=0x0) returned 12 [0027.620] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v4.0.30319_32", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0027.620] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v4.0.30319_32", cchWideChar=30, lpMultiByteStr=0x9b91a8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clr_optimization_v4.0.30319_32", lpUsedDefaultChar=0x0) returned 30 [0027.620] OpenServiceW (hSCManager=0x421ba8, lpServiceName="clr_optimization_v4.0.30319_32", dwDesiredAccess=0x1) returned 0x421c98 [0027.620] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0027.620] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.620] GetLastError () returned 0x7a [0027.620] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x152, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.620] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mscorsvw.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.620] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mscorsvw.exe", cchWideChar=12, lpMultiByteStr=0x9b91f0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscorsvw.exe", lpUsedDefaultChar=0x0) returned 12 [0027.620] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v4.0.30319_64", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0027.621] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v4.0.30319_64", cchWideChar=30, lpMultiByteStr=0x9b91f0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clr_optimization_v4.0.30319_64", lpUsedDefaultChar=0x0) returned 30 [0027.621] OpenServiceW (hSCManager=0x421ba8, lpServiceName="clr_optimization_v4.0.30319_64", dwDesiredAccess=0x1) returned 0x421d88 [0027.621] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0027.621] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.621] GetLastError () returned 0x7a [0027.621] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x156, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.621] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mscorsvw.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.621] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mscorsvw.exe", cchWideChar=12, lpMultiByteStr=0x9b9238, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscorsvw.exe", lpUsedDefaultChar=0x0) returned 12 [0027.621] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="comsysapp", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.621] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="comsysapp", cchWideChar=9, lpMultiByteStr=0x9b9238, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="comsysapp", lpUsedDefaultChar=0x0) returned 9 [0027.621] OpenServiceW (hSCManager=0x421ba8, lpServiceName="COMSysApp", dwDesiredAccess=0x1) returned 0x421c70 [0027.621] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0027.621] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.622] GetLastError () returned 0x7a [0027.622] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x182, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.622] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dllhost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.622] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dllhost.exe", cchWideChar=11, lpMultiByteStr=0x9b9280, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dllhost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.622] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cryptsvc", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.622] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cryptsvc", cchWideChar=8, lpMultiByteStr=0x9b9280, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cryptsvc", lpUsedDefaultChar=0x0) returned 8 [0027.622] OpenServiceW (hSCManager=0x421ba8, lpServiceName="CryptSvc", dwDesiredAccess=0x1) returned 0x421d38 [0027.622] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0027.622] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.622] GetLastError () returned 0x7a [0027.622] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x13e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.622] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.623] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b92c8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.623] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cscservice", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.623] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cscservice", cchWideChar=10, lpMultiByteStr=0x9b92c8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cscservice", lpUsedDefaultChar=0x0) returned 10 [0027.623] OpenServiceW (hSCManager=0x421ba8, lpServiceName="CscService", dwDesiredAccess=0x1) returned 0x421c98 [0027.623] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0027.623] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.623] GetLastError () returned 0x7a [0027.623] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x142, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.623] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.623] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9310, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.623] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dcomlaunch", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.623] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dcomlaunch", cchWideChar=10, lpMultiByteStr=0x9b9310, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dcomlaunch", lpUsedDefaultChar=0x0) returned 10 [0027.623] OpenServiceW (hSCManager=0x421ba8, lpServiceName="DcomLaunch", dwDesiredAccess=0x1) returned 0x421d88 [0027.623] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0027.624] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.624] GetLastError () returned 0x7a [0027.624] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x13c, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.624] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.624] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9358, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.624] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="defragsvc", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.624] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="defragsvc", cchWideChar=9, lpMultiByteStr=0x9b9358, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="defragsvc", lpUsedDefaultChar=0x0) returned 9 [0027.624] OpenServiceW (hSCManager=0x421ba8, lpServiceName="defragsvc", dwDesiredAccess=0x1) returned 0x421c70 [0027.624] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0027.624] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.625] GetLastError () returned 0x7a [0027.625] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x10a, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.625] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.625] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b93a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.625] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dhcp", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0027.625] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dhcp", cchWideChar=4, lpMultiByteStr=0x9b93a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dhcp", lpUsedDefaultChar=0x0) returned 4 [0027.625] OpenServiceW (hSCManager=0x421ba8, lpServiceName="Dhcp", dwDesiredAccess=0x1) returned 0x421d38 [0027.625] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0027.625] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.625] GetLastError () returned 0x7a [0027.625] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x154, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.625] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.625] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b93e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.625] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dnscache", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.625] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dnscache", cchWideChar=8, lpMultiByteStr=0x9b93e8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dnscache", lpUsedDefaultChar=0x0) returned 8 [0027.626] OpenServiceW (hSCManager=0x421ba8, lpServiceName="Dnscache", dwDesiredAccess=0x1) returned 0x421c98 [0027.626] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0027.626] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.626] GetLastError () returned 0x7a [0027.626] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x130, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.626] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.626] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9430, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.626] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dot3svc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.626] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dot3svc", cchWideChar=7, lpMultiByteStr=0x9b9430, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dot3svc", lpUsedDefaultChar=0x0) returned 7 [0027.626] OpenServiceW (hSCManager=0x421ba8, lpServiceName="dot3svc", dwDesiredAccess=0x1) returned 0x421d88 [0027.627] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0027.627] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.627] GetLastError () returned 0x7a [0027.627] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x154, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.627] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.627] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9478, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.628] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dps", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.628] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dps", cchWideChar=3, lpMultiByteStr=0x9b9478, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dps", lpUsedDefaultChar=0x0) returned 3 [0027.628] OpenServiceW (hSCManager=0x421ba8, lpServiceName="DPS", dwDesiredAccess=0x1) returned 0x421c70 [0027.628] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0027.628] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.628] GetLastError () returned 0x7a [0027.628] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x144, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.628] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.628] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b94c0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.628] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eaphost", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.628] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eaphost", cchWideChar=7, lpMultiByteStr=0x9b94c0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eaphost", lpUsedDefaultChar=0x0) returned 7 [0027.628] OpenServiceW (hSCManager=0x421ba8, lpServiceName="EapHost", dwDesiredAccess=0x1) returned 0x421d38 [0027.628] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0027.629] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.629] GetLastError () returned 0x7a [0027.629] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x136, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.629] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.629] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9508, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.629] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="efs", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.629] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="efs", cchWideChar=3, lpMultiByteStr=0x9b9508, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="efs", lpUsedDefaultChar=0x0) returned 3 [0027.629] OpenServiceW (hSCManager=0x421ba8, lpServiceName="EFS", dwDesiredAccess=0x1) returned 0x421c98 [0027.629] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0027.629] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.629] GetLastError () returned 0x7a [0027.629] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x102, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.630] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.630] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x9b9550, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 9 [0027.630] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehrecvr", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.630] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehrecvr", cchWideChar=7, lpMultiByteStr=0x9b9550, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ehrecvr", lpUsedDefaultChar=0x0) returned 7 [0027.630] OpenServiceW (hSCManager=0x421ba8, lpServiceName="ehRecvr", dwDesiredAccess=0x1) returned 0x421d88 [0027.630] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0027.630] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.630] GetLastError () returned 0x7a [0027.630] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x132, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.630] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehrecvr.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.630] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehrecvr.exe", cchWideChar=11, lpMultiByteStr=0x9b9598, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ehrecvr.exe", lpUsedDefaultChar=0x0) returned 11 [0027.630] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehsched", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.630] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehsched", cchWideChar=7, lpMultiByteStr=0x9b9598, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ehsched", lpUsedDefaultChar=0x0) returned 7 [0027.630] OpenServiceW (hSCManager=0x421ba8, lpServiceName="ehSched", dwDesiredAccess=0x1) returned 0x421c70 [0027.631] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0027.631] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.631] GetLastError () returned 0x7a [0027.631] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x134, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.631] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehsched.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.631] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehsched.exe", cchWideChar=11, lpMultiByteStr=0x9b95e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ehsched.exe", lpUsedDefaultChar=0x0) returned 11 [0027.631] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventlog", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.631] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventlog", cchWideChar=8, lpMultiByteStr=0x9b95e0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eventlog", lpUsedDefaultChar=0x0) returned 8 [0027.631] OpenServiceW (hSCManager=0x421ba8, lpServiceName="eventlog", dwDesiredAccess=0x1) returned 0x421d38 [0027.631] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0027.631] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.631] GetLastError () returned 0x7a [0027.631] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x156, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.632] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.632] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9628, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.632] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventsystem", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.632] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventsystem", cchWideChar=11, lpMultiByteStr=0x9b9628, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eventsystem", lpUsedDefaultChar=0x0) returned 11 [0027.632] OpenServiceW (hSCManager=0x421ba8, lpServiceName="EventSystem", dwDesiredAccess=0x1) returned 0x421c98 [0027.632] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0027.632] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.632] GetLastError () returned 0x7a [0027.632] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x12c, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.632] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.632] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9670, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.632] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fax", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0027.632] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fax", cchWideChar=3, lpMultiByteStr=0x9b9670, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fax", lpUsedDefaultChar=0x0) returned 3 [0027.632] OpenServiceW (hSCManager=0x421ba8, lpServiceName="Fax", dwDesiredAccess=0x1) returned 0x421d88 [0027.633] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0027.633] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.633] GetLastError () returned 0x7a [0027.633] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x124, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.633] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fxssvc.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0027.633] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fxssvc.exe", cchWideChar=10, lpMultiByteStr=0x9b96b8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fxssvc.exe", lpUsedDefaultChar=0x0) returned 10 [0027.633] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fdphost", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.633] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fdphost", cchWideChar=7, lpMultiByteStr=0x9b96b8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fdphost", lpUsedDefaultChar=0x0) returned 7 [0027.633] OpenServiceW (hSCManager=0x421ba8, lpServiceName="fdPHost", dwDesiredAccess=0x1) returned 0x421c70 [0027.633] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0027.633] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.634] GetLastError () returned 0x7a [0027.634] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x154, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.634] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.634] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9700, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.634] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fdrespub", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.634] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fdrespub", cchWideChar=8, lpMultiByteStr=0x9b9700, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fdrespub", lpUsedDefaultChar=0x0) returned 8 [0027.634] OpenServiceW (hSCManager=0x421ba8, lpServiceName="FDResPub", dwDesiredAccess=0x1) returned 0x421d38 [0027.634] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0027.634] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.634] GetLastError () returned 0x7a [0027.634] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x186, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.634] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.634] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9748, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.634] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fontcache", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.635] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fontcache", cchWideChar=9, lpMultiByteStr=0x9b9748, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fontcache", lpUsedDefaultChar=0x0) returned 9 [0027.635] OpenServiceW (hSCManager=0x421ba8, lpServiceName="FontCache", dwDesiredAccess=0x1) returned 0x421c98 [0027.635] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0027.635] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.635] GetLastError () returned 0x7a [0027.635] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x158, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.635] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.635] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9790, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.635] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fontcache3.0.0.0", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.635] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fontcache3.0.0.0", cchWideChar=16, lpMultiByteStr=0x9b9790, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fontcache3.0.0.0", lpUsedDefaultChar=0x0) returned 16 [0027.635] OpenServiceW (hSCManager=0x421ba8, lpServiceName="FontCache3.0.0.0", dwDesiredAccess=0x1) returned 0x421d88 [0027.636] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0027.636] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.636] GetLastError () returned 0x7a [0027.636] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x194, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.636] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="presentationfontcache.exe", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0027.636] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="presentationfontcache.exe", cchWideChar=25, lpMultiByteStr=0x9b97d8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="presentationfontcache.exe", lpUsedDefaultChar=0x0) returned 25 [0027.636] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gpsvc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0027.636] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gpsvc", cchWideChar=5, lpMultiByteStr=0x9b97d8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gpsvc", lpUsedDefaultChar=0x0) returned 5 [0027.636] OpenServiceW (hSCManager=0x421ba8, lpServiceName="gpsvc", dwDesiredAccess=0x1) returned 0x421c70 [0027.636] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0027.636] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.637] GetLastError () returned 0x7a [0027.637] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x12c, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.637] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.637] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9820, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.637] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gupdate", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.637] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gupdate", cchWideChar=7, lpMultiByteStr=0x9b9820, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gupdate", lpUsedDefaultChar=0x0) returned 7 [0027.637] OpenServiceW (hSCManager=0x421ba8, lpServiceName="gupdate", dwDesiredAccess=0x1) returned 0x421d38 [0027.637] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0027.637] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.638] GetLastError () returned 0x7a [0027.638] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x146, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.638] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="googleupdate.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.638] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="googleupdate.exe", cchWideChar=16, lpMultiByteStr=0x9b9868, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="googleupdate.exe", lpUsedDefaultChar=0x0) returned 16 [0027.638] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gupdatem", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.638] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gupdatem", cchWideChar=8, lpMultiByteStr=0x9b9868, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gupdatem", lpUsedDefaultChar=0x0) returned 8 [0027.638] OpenServiceW (hSCManager=0x421ba8, lpServiceName="gupdatem", dwDesiredAccess=0x1) returned 0x421c98 [0027.638] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0027.638] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.638] GetLastError () returned 0x7a [0027.638] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x14e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.639] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="googleupdate.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0027.639] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="googleupdate.exe", cchWideChar=16, lpMultiByteStr=0x9b98b0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="googleupdate.exe", lpUsedDefaultChar=0x0) returned 16 [0027.639] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hidserv", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0027.639] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hidserv", cchWideChar=7, lpMultiByteStr=0x9b98b0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hidserv", lpUsedDefaultChar=0x0) returned 7 [0027.639] OpenServiceW (hSCManager=0x421ba8, lpServiceName="hidserv", dwDesiredAccess=0x1) returned 0x421d88 [0027.639] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0027.639] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.639] GetLastError () returned 0x7a [0027.639] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x13e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.639] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.639] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b98f8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.639] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hkmsvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0027.639] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hkmsvc", cchWideChar=6, lpMultiByteStr=0x9b98f8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hkmsvc", lpUsedDefaultChar=0x0) returned 6 [0027.639] OpenServiceW (hSCManager=0x421ba8, lpServiceName="hkmsvc", dwDesiredAccess=0x1) returned 0x421c70 [0027.640] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0027.640] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.640] GetLastError () returned 0x7a [0027.640] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x12e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.640] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.640] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.640] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegrouplistener", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0027.640] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegrouplistener", cchWideChar=17, lpMultiByteStr=0x9b9940, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="homegrouplistener", lpUsedDefaultChar=0x0) returned 17 [0027.640] OpenServiceW (hSCManager=0x421ba8, lpServiceName="HomeGroupListener", dwDesiredAccess=0x1) returned 0x421d38 [0027.640] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0027.640] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.641] GetLastError () returned 0x7a [0027.641] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x140, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.641] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.641] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.641] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegroupprovider", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0027.641] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegroupprovider", cchWideChar=17, lpMultiByteStr=0x9b9988, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="homegroupprovider", lpUsedDefaultChar=0x0) returned 17 [0027.641] OpenServiceW (hSCManager=0x421ba8, lpServiceName="HomeGroupProvider", dwDesiredAccess=0x1) returned 0x421c98 [0027.641] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0027.641] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.641] GetLastError () returned 0x7a [0027.641] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x178, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.641] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.641] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b99d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.641] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="idsvc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0027.641] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="idsvc", cchWideChar=5, lpMultiByteStr=0x9b99d0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="idsvc", lpUsedDefaultChar=0x0) returned 5 [0027.642] OpenServiceW (hSCManager=0x421ba8, lpServiceName="idsvc", dwDesiredAccess=0x1) returned 0x421d88 [0027.642] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0027.642] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.642] GetLastError () returned 0x7a [0027.642] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x15a, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.642] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="infocard.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.642] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="infocard.exe", cchWideChar=12, lpMultiByteStr=0x9b9a18, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="infocard.exe", lpUsedDefaultChar=0x0) returned 12 [0027.642] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ikeext", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0027.642] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ikeext", cchWideChar=6, lpMultiByteStr=0x9b9a18, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ikeext", lpUsedDefaultChar=0x0) returned 6 [0027.642] OpenServiceW (hSCManager=0x421ba8, lpServiceName="IKEEXT", dwDesiredAccess=0x1) returned 0x421c70 [0027.642] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0027.642] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.643] GetLastError () returned 0x7a [0027.643] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x126, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.643] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.643] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9a60, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.643] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ipbusenum", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.643] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ipbusenum", cchWideChar=9, lpMultiByteStr=0x9b9a60, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipbusenum", lpUsedDefaultChar=0x0) returned 9 [0027.643] OpenServiceW (hSCManager=0x421ba8, lpServiceName="IPBusEnum", dwDesiredAccess=0x1) returned 0x421d38 [0027.643] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0027.643] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.643] GetLastError () returned 0x7a [0027.643] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x14c, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.643] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.644] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9aa8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.644] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iphlpsvc", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0027.644] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iphlpsvc", cchWideChar=8, lpMultiByteStr=0x9b9aa8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iphlpsvc", lpUsedDefaultChar=0x0) returned 8 [0027.644] OpenServiceW (hSCManager=0x421ba8, lpServiceName="iphlpsvc", dwDesiredAccess=0x1) returned 0x421c98 [0027.644] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0027.644] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.644] GetLastError () returned 0x7a [0027.644] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x122, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.644] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.644] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9af0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.644] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="keyiso", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0027.644] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="keyiso", cchWideChar=6, lpMultiByteStr=0x9b9af0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="keyiso", lpUsedDefaultChar=0x0) returned 6 [0027.644] OpenServiceW (hSCManager=0x421ba8, lpServiceName="KeyIso", dwDesiredAccess=0x1) returned 0x421d88 [0027.644] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0027.645] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.645] GetLastError () returned 0x7a [0027.645] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0xec, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.645] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0027.645] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x9b9b38, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 9 [0027.645] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ktmrm", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0027.645] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ktmrm", cchWideChar=5, lpMultiByteStr=0x9b9b38, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ktmrm", lpUsedDefaultChar=0x0) returned 5 [0027.645] OpenServiceW (hSCManager=0x421ba8, lpServiceName="KtmRm", dwDesiredAccess=0x1) returned 0x421c70 [0027.645] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0027.645] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.645] GetLastError () returned 0x7a [0027.645] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x19c, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.646] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.646] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9b80, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.646] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lanmanserver", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0027.646] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lanmanserver", cchWideChar=12, lpMultiByteStr=0x9b9b80, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lanmanserver", lpUsedDefaultChar=0x0) returned 12 [0027.646] OpenServiceW (hSCManager=0x421ba8, lpServiceName="LanmanServer", dwDesiredAccess=0x1) returned 0x421d38 [0027.646] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0027.646] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0027.646] GetLastError () returned 0x7a [0027.646] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0xf8, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0027.647] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0027.647] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9bc8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0027.647] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lanmanworkstation", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0027.647] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lanmanworkstation", cchWideChar=17, lpMultiByteStr=0x9b9bc8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lanmanworkstation", lpUsedDefaultChar=0x0) returned 17 [0027.647] OpenServiceW (hSCManager=0x421ba8, lpServiceName="LanmanWorkstation", dwDesiredAccess=0x1) returned 0x421c98 [0028.264] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.265] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.265] GetLastError () returned 0x7a [0028.265] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x174, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.265] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.265] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9c10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.265] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lltdsvc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.265] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lltdsvc", cchWideChar=7, lpMultiByteStr=0x9b9c10, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lltdsvc", lpUsedDefaultChar=0x0) returned 7 [0028.265] OpenServiceW (hSCManager=0x421ba8, lpServiceName="lltdsvc", dwDesiredAccess=0x1) returned 0x421d88 [0028.266] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.266] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.266] GetLastError () returned 0x7a [0028.266] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x160, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.266] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.266] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9c58, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.266] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lmhosts", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.266] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lmhosts", cchWideChar=7, lpMultiByteStr=0x9b9c58, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lmhosts", lpUsedDefaultChar=0x0) returned 7 [0028.266] OpenServiceW (hSCManager=0x421ba8, lpServiceName="lmhosts", dwDesiredAccess=0x1) returned 0x421c70 [0028.266] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.267] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.267] GetLastError () returned 0x7a [0028.267] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x164, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.267] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.267] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9ca0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.267] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mcx2svc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.267] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mcx2svc", cchWideChar=7, lpMultiByteStr=0x9b9ca0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mcx2svc", lpUsedDefaultChar=0x0) returned 7 [0028.267] OpenServiceW (hSCManager=0x421ba8, lpServiceName="Mcx2Svc", dwDesiredAccess=0x1) returned 0x421d38 [0028.267] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.267] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.267] GetLastError () returned 0x7a [0028.267] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x1a8, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.268] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.268] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9ce8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.268] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft sharepoint workspace audit service", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0028.268] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft sharepoint workspace audit service", cchWideChar=44, lpMultiByteStr=0x9b9ce8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft sharepoint workspace audit service", lpUsedDefaultChar=0x0) returned 44 [0028.268] OpenServiceW (hSCManager=0x421ba8, lpServiceName="Microsoft SharePoint Workspace Audit Service", dwDesiredAccess=0x1) returned 0x421c98 [0028.268] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.268] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.268] GetLastError () returned 0x7a [0028.268] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x184, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.268] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="groove.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0028.268] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="groove.exe", cchWideChar=10, lpMultiByteStr=0x9b9d30, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="groove.exe", lpUsedDefaultChar=0x0) returned 10 [0028.268] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmcss", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.268] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmcss", cchWideChar=5, lpMultiByteStr=0x9b9d30, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mmcss", lpUsedDefaultChar=0x0) returned 5 [0028.269] OpenServiceW (hSCManager=0x421ba8, lpServiceName="MMCSS", dwDesiredAccess=0x1) returned 0x421d88 [0028.269] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.269] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.269] GetLastError () returned 0x7a [0028.269] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x10e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.269] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.269] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9d78, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.269] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mozillamaintenance", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0028.269] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mozillamaintenance", cchWideChar=18, lpMultiByteStr=0x9b9d78, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mozillamaintenance", lpUsedDefaultChar=0x0) returned 18 [0028.269] OpenServiceW (hSCManager=0x421ba8, lpServiceName="MozillaMaintenance", dwDesiredAccess=0x1) returned 0x421c70 [0028.269] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.269] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.270] GetLastError () returned 0x7a [0028.270] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x152, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.270] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="maintenanceservice.exe", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0028.270] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="maintenanceservice.exe", cchWideChar=22, lpMultiByteStr=0x9b9dc0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="maintenanceservice.exe", lpUsedDefaultChar=0x0) returned 22 [0028.270] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mpssvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.270] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mpssvc", cchWideChar=6, lpMultiByteStr=0x9b9dc0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mpssvc", lpUsedDefaultChar=0x0) returned 6 [0028.270] OpenServiceW (hSCManager=0x421ba8, lpServiceName="MpsSvc", dwDesiredAccess=0x1) returned 0x421d38 [0028.270] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.270] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.270] GetLastError () returned 0x7a [0028.270] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x164, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.271] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.271] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9e08, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.271] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.271] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc", cchWideChar=5, lpMultiByteStr=0x9b9e08, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdtc", lpUsedDefaultChar=0x0) returned 5 [0028.271] OpenServiceW (hSCManager=0x421ba8, lpServiceName="MSDTC", dwDesiredAccess=0x1) returned 0x421c98 [0028.271] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.271] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.271] GetLastError () returned 0x7a [0028.271] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x13c, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.271] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0028.271] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc.exe", cchWideChar=9, lpMultiByteStr=0x9b9e50, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdtc.exe", lpUsedDefaultChar=0x0) returned 9 [0028.271] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msiscsi", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.271] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msiscsi", cchWideChar=7, lpMultiByteStr=0x9b9e50, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msiscsi", lpUsedDefaultChar=0x0) returned 7 [0028.271] OpenServiceW (hSCManager=0x421ba8, lpServiceName="MSiSCSI", dwDesiredAccess=0x1) returned 0x421d88 [0028.272] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.272] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.272] GetLastError () returned 0x7a [0028.272] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x126, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.272] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.272] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9e98, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.272] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msiserver", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0028.272] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msiserver", cchWideChar=9, lpMultiByteStr=0x9b9e98, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msiserver", lpUsedDefaultChar=0x0) returned 9 [0028.272] OpenServiceW (hSCManager=0x421ba8, lpServiceName="msiserver", dwDesiredAccess=0x1) returned 0x421c70 [0028.272] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.272] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.272] GetLastError () returned 0x7a [0028.272] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0xf6, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.273] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msiexec.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.273] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msiexec.exe", cchWideChar=11, lpMultiByteStr=0x9b9ee0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msiexec.exe", lpUsedDefaultChar=0x0) returned 11 [0028.273] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="napagent", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.273] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="napagent", cchWideChar=8, lpMultiByteStr=0x9b9ee0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="napagent", lpUsedDefaultChar=0x0) returned 8 [0028.273] OpenServiceW (hSCManager=0x421ba8, lpServiceName="napagent", dwDesiredAccess=0x1) returned 0x421d38 [0028.273] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.273] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.273] GetLastError () returned 0x7a [0028.273] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x150, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.273] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.273] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9f28, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.273] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netlogon", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.273] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netlogon", cchWideChar=8, lpMultiByteStr=0x9b9f28, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netlogon", lpUsedDefaultChar=0x0) returned 8 [0028.274] OpenServiceW (hSCManager=0x421ba8, lpServiceName="Netlogon", dwDesiredAccess=0x1) returned 0x421c98 [0028.274] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.274] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.274] GetLastError () returned 0x7a [0028.274] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x126, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.274] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0028.274] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x9b9f70, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 9 [0028.274] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netman", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.274] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netman", cchWideChar=6, lpMultiByteStr=0x9b9f70, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netman", lpUsedDefaultChar=0x0) returned 6 [0028.274] OpenServiceW (hSCManager=0x421ba8, lpServiceName="Netman", dwDesiredAccess=0x1) returned 0x421d88 [0028.280] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.280] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.280] GetLastError () returned 0x7a [0028.280] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x13c, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.280] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.280] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x9b9fb8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.280] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netmsmqactivator", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0028.280] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netmsmqactivator", cchWideChar=16, lpMultiByteStr=0x9b9fb8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netmsmqactivator", lpUsedDefaultChar=0x0) returned 16 [0028.280] OpenServiceW (hSCManager=0x421ba8, lpServiceName="NetMsmqActivator", dwDesiredAccess=0x1) returned 0x421c70 [0028.280] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.281] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.281] GetLastError () returned 0x7a [0028.281] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x18a, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.281] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smsvchost.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0028.281] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smsvchost.exe", cchWideChar=13, lpMultiByteStr=0x9b9fb8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smsvchost.exe", lpUsedDefaultChar=0x0) returned 13 [0028.281] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netpipeactivator", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0028.281] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netpipeactivator", cchWideChar=16, lpMultiByteStr=0xa433d0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netpipeactivator", lpUsedDefaultChar=0x0) returned 16 [0028.281] OpenServiceW (hSCManager=0x421ba8, lpServiceName="NetPipeActivator", dwDesiredAccess=0x1) returned 0x421d38 [0028.281] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.281] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.281] GetLastError () returned 0x7a [0028.281] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x154, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.282] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smsvchost.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0028.282] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smsvchost.exe", cchWideChar=13, lpMultiByteStr=0xa433d0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smsvchost.exe", lpUsedDefaultChar=0x0) returned 13 [0028.282] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netprofm", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.282] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netprofm", cchWideChar=8, lpMultiByteStr=0xa43418, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netprofm", lpUsedDefaultChar=0x0) returned 8 [0028.282] OpenServiceW (hSCManager=0x421ba8, lpServiceName="netprofm", dwDesiredAccess=0x1) returned 0x421c98 [0028.282] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.282] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.282] GetLastError () returned 0x7a [0028.282] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x140, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.282] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.282] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43460, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.282] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nettcpactivator", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0028.282] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nettcpactivator", cchWideChar=15, lpMultiByteStr=0xa43460, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nettcpactivator", lpUsedDefaultChar=0x0) returned 15 [0028.282] OpenServiceW (hSCManager=0x421ba8, lpServiceName="NetTcpActivator", dwDesiredAccess=0x1) returned 0x421d88 [0028.283] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.283] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.283] GetLastError () returned 0x7a [0028.283] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x176, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.283] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smsvchost.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0028.283] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smsvchost.exe", cchWideChar=13, lpMultiByteStr=0xa434a8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smsvchost.exe", lpUsedDefaultChar=0x0) returned 13 [0028.283] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nettcpportsharing", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0028.283] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nettcpportsharing", cchWideChar=17, lpMultiByteStr=0xa434a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nettcpportsharing", lpUsedDefaultChar=0x0) returned 17 [0028.283] OpenServiceW (hSCManager=0x421ba8, lpServiceName="NetTcpPortSharing", dwDesiredAccess=0x1) returned 0x421c70 [0028.283] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.283] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.284] GetLastError () returned 0x7a [0028.284] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x154, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.284] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smsvchost.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0028.284] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smsvchost.exe", cchWideChar=13, lpMultiByteStr=0xa434f0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smsvchost.exe", lpUsedDefaultChar=0x0) returned 13 [0028.284] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nlasvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.284] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nlasvc", cchWideChar=6, lpMultiByteStr=0xa434f0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nlasvc", lpUsedDefaultChar=0x0) returned 6 [0028.284] OpenServiceW (hSCManager=0x421ba8, lpServiceName="NlaSvc", dwDesiredAccess=0x1) returned 0x421d38 [0028.284] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.284] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.284] GetLastError () returned 0x7a [0028.284] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x15a, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.285] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.285] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43538, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.285] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nsi", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.285] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nsi", cchWideChar=3, lpMultiByteStr=0xa43538, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nsi", lpUsedDefaultChar=0x0) returned 3 [0028.285] OpenServiceW (hSCManager=0x421ba8, lpServiceName="nsi", dwDesiredAccess=0x1) returned 0x421c98 [0028.285] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.285] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.285] GetLastError () returned 0x7a [0028.285] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x14e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.285] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.285] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43580, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.285] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ose64", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.285] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ose64", cchWideChar=5, lpMultiByteStr=0xa43580, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ose64", lpUsedDefaultChar=0x0) returned 5 [0028.285] OpenServiceW (hSCManager=0x421ba8, lpServiceName="ose64", dwDesiredAccess=0x1) returned 0x421d88 [0028.286] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.286] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.286] GetLastError () returned 0x7a [0028.286] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x140, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.286] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ose.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.286] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ose.exe", cchWideChar=7, lpMultiByteStr=0xa435c8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ose.exe", lpUsedDefaultChar=0x0) returned 7 [0028.286] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="osppsvc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.286] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="osppsvc", cchWideChar=7, lpMultiByteStr=0xa435c8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="osppsvc", lpUsedDefaultChar=0x0) returned 7 [0028.286] OpenServiceW (hSCManager=0x421ba8, lpServiceName="osppsvc", dwDesiredAccess=0x1) returned 0x421c70 [0028.286] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.286] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.287] GetLastError () returned 0x7a [0028.287] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x1b0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.287] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="osppsvc.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.287] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="osppsvc.exe", cchWideChar=11, lpMultiByteStr=0xa43610, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="osppsvc.exe", lpUsedDefaultChar=0x0) returned 11 [0028.287] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="p2pimsvc", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.287] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="p2pimsvc", cchWideChar=8, lpMultiByteStr=0xa43610, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="p2pimsvc", lpUsedDefaultChar=0x0) returned 8 [0028.287] OpenServiceW (hSCManager=0x421ba8, lpServiceName="p2pimsvc", dwDesiredAccess=0x1) returned 0x421d38 [0028.287] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.287] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.287] GetLastError () returned 0x7a [0028.287] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x14e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.287] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.287] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43658, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.287] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="p2psvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="p2psvc", cchWideChar=6, lpMultiByteStr=0xa43658, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="p2psvc", lpUsedDefaultChar=0x0) returned 6 [0028.288] OpenServiceW (hSCManager=0x421ba8, lpServiceName="p2psvc", dwDesiredAccess=0x1) returned 0x421c98 [0028.288] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.288] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.288] GetLastError () returned 0x7a [0028.288] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x15e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa436a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pcasvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pcasvc", cchWideChar=6, lpMultiByteStr=0xa436a0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pcasvc", lpUsedDefaultChar=0x0) returned 6 [0028.288] OpenServiceW (hSCManager=0x421ba8, lpServiceName="PcaSvc", dwDesiredAccess=0x1) returned 0x421d88 [0028.288] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.289] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.289] GetLastError () returned 0x7a [0028.289] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x15c, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa436e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="peerdistsvc", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="peerdistsvc", cchWideChar=11, lpMultiByteStr=0xa436e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="peerdistsvc", lpUsedDefaultChar=0x0) returned 11 [0028.289] OpenServiceW (hSCManager=0x421ba8, lpServiceName="PeerDistSvc", dwDesiredAccess=0x1) returned 0x421c70 [0028.289] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.289] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.289] GetLastError () returned 0x7a [0028.289] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x11a, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43730, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="perfhost", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="perfhost", cchWideChar=8, lpMultiByteStr=0xa43730, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="perfhost", lpUsedDefaultChar=0x0) returned 8 [0028.290] OpenServiceW (hSCManager=0x421ba8, lpServiceName="PerfHost", dwDesiredAccess=0x1) returned 0x421d38 [0028.290] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.290] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.290] GetLastError () returned 0x7a [0028.290] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x124, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="perfhost.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0028.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="perfhost.exe", cchWideChar=12, lpMultiByteStr=0xa43778, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="perfhost.exe", lpUsedDefaultChar=0x0) returned 12 [0028.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pla", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pla", cchWideChar=3, lpMultiByteStr=0xa43778, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pla", lpUsedDefaultChar=0x0) returned 3 [0028.291] OpenServiceW (hSCManager=0x421ba8, lpServiceName="pla", dwDesiredAccess=0x1) returned 0x421c98 [0028.291] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.291] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.291] GetLastError () returned 0x7a [0028.291] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x14e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa437c0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="plugplay", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="plugplay", cchWideChar=8, lpMultiByteStr=0xa437c0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="plugplay", lpUsedDefaultChar=0x0) returned 8 [0028.291] OpenServiceW (hSCManager=0x421ba8, lpServiceName="PlugPlay", dwDesiredAccess=0x1) returned 0x421d88 [0028.292] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.292] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.292] GetLastError () returned 0x7a [0028.292] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x10a, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43808, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pnrpautoreg", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pnrpautoreg", cchWideChar=11, lpMultiByteStr=0xa43808, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pnrpautoreg", lpUsedDefaultChar=0x0) returned 11 [0028.292] OpenServiceW (hSCManager=0x421ba8, lpServiceName="PNRPAutoReg", dwDesiredAccess=0x1) returned 0x421c70 [0028.292] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.292] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.292] GetLastError () returned 0x7a [0028.292] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x166, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43850, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pnrpsvc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pnrpsvc", cchWideChar=7, lpMultiByteStr=0xa43850, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pnrpsvc", lpUsedDefaultChar=0x0) returned 7 [0028.293] OpenServiceW (hSCManager=0x421ba8, lpServiceName="PNRPsvc", dwDesiredAccess=0x1) returned 0x421d38 [0028.293] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.293] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.293] GetLastError () returned 0x7a [0028.293] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x158, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43898, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="policyagent", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="policyagent", cchWideChar=11, lpMultiByteStr=0xa43898, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="policyagent", lpUsedDefaultChar=0x0) returned 11 [0028.294] OpenServiceW (hSCManager=0x421ba8, lpServiceName="PolicyAgent", dwDesiredAccess=0x1) returned 0x421c98 [0028.294] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.294] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.294] GetLastError () returned 0x7a [0028.294] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x160, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa438e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="power", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="power", cchWideChar=5, lpMultiByteStr=0xa438e0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="power", lpUsedDefaultChar=0x0) returned 5 [0028.294] OpenServiceW (hSCManager=0x421ba8, lpServiceName="Power", dwDesiredAccess=0x1) returned 0x421d88 [0028.294] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.295] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.295] GetLastError () returned 0x7a [0028.295] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0xfa, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43928, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="profsvc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="profsvc", cchWideChar=7, lpMultiByteStr=0xa43928, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="profsvc", lpUsedDefaultChar=0x0) returned 7 [0028.295] OpenServiceW (hSCManager=0x421ba8, lpServiceName="ProfSvc", dwDesiredAccess=0x1) returned 0x421c70 [0028.295] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.295] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.295] GetLastError () returned 0x7a [0028.295] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x126, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43970, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="protectedstorage", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0028.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="protectedstorage", cchWideChar=16, lpMultiByteStr=0xa43970, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="protectedstorage", lpUsedDefaultChar=0x0) returned 16 [0028.296] OpenServiceW (hSCManager=0x421ba8, lpServiceName="ProtectedStorage", dwDesiredAccess=0x1) returned 0x421d38 [0028.296] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.296] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.296] GetLastError () returned 0x7a [0028.296] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0xec, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0028.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0xa439b8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 9 [0028.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="qwave", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="qwave", cchWideChar=5, lpMultiByteStr=0xa439b8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="qwave", lpUsedDefaultChar=0x0) returned 5 [0028.297] OpenServiceW (hSCManager=0x421ba8, lpServiceName="QWAVE", dwDesiredAccess=0x1) returned 0x421c98 [0028.297] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.297] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.297] GetLastError () returned 0x7a [0028.297] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x1a8, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43a00, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rasauto", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rasauto", cchWideChar=7, lpMultiByteStr=0xa43a00, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rasauto", lpUsedDefaultChar=0x0) returned 7 [0028.297] OpenServiceW (hSCManager=0x421ba8, lpServiceName="RasAuto", dwDesiredAccess=0x1) returned 0x421d88 [0028.297] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.298] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.298] GetLastError () returned 0x7a [0028.298] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x14e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43a48, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rasman", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rasman", cchWideChar=6, lpMultiByteStr=0xa43a48, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rasman", lpUsedDefaultChar=0x0) returned 6 [0028.298] OpenServiceW (hSCManager=0x421ba8, lpServiceName="RasMan", dwDesiredAccess=0x1) returned 0x421c70 [0028.300] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.300] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.300] GetLastError () returned 0x7a [0028.300] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x138, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43a90, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="remoteaccess", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0028.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="remoteaccess", cchWideChar=12, lpMultiByteStr=0xa43a90, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="remoteaccess", lpUsedDefaultChar=0x0) returned 12 [0028.300] OpenServiceW (hSCManager=0x421ba8, lpServiceName="RemoteAccess", dwDesiredAccess=0x1) returned 0x421d38 [0028.300] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.300] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.301] GetLastError () returned 0x7a [0028.301] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x152, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43ad8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="remoteregistry", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0028.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="remoteregistry", cchWideChar=14, lpMultiByteStr=0xa43ad8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="remoteregistry", lpUsedDefaultChar=0x0) returned 14 [0028.301] OpenServiceW (hSCManager=0x421ba8, lpServiceName="RemoteRegistry", dwDesiredAccess=0x1) returned 0x421c98 [0028.301] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.301] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.301] GetLastError () returned 0x7a [0028.301] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x11c, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43b20, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpceptmapper", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0028.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpceptmapper", cchWideChar=12, lpMultiByteStr=0xa43b20, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rpceptmapper", lpUsedDefaultChar=0x0) returned 12 [0028.302] OpenServiceW (hSCManager=0x421ba8, lpServiceName="RpcEptMapper", dwDesiredAccess=0x1) returned 0x421d88 [0028.302] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.302] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.302] GetLastError () returned 0x7a [0028.302] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x140, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43b68, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpclocator", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0028.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpclocator", cchWideChar=10, lpMultiByteStr=0xa43b68, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rpclocator", lpUsedDefaultChar=0x0) returned 10 [0028.302] OpenServiceW (hSCManager=0x421ba8, lpServiceName="RpcLocator", dwDesiredAccess=0x1) returned 0x421c70 [0028.303] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.303] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.303] GetLastError () returned 0x7a [0028.303] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x12a, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="locator.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="locator.exe", cchWideChar=11, lpMultiByteStr=0xa43bb0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="locator.exe", lpUsedDefaultChar=0x0) returned 11 [0028.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpcss", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpcss", cchWideChar=5, lpMultiByteStr=0xa43bb0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rpcss", lpUsedDefaultChar=0x0) returned 5 [0028.303] OpenServiceW (hSCManager=0x421ba8, lpServiceName="RpcSs", dwDesiredAccess=0x1) returned 0x421d38 [0028.303] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.303] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.304] GetLastError () returned 0x7a [0028.304] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x17e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43bf8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="samss", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="samss", cchWideChar=5, lpMultiByteStr=0xa43bf8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="samss", lpUsedDefaultChar=0x0) returned 5 [0028.304] OpenServiceW (hSCManager=0x421ba8, lpServiceName="SamSs", dwDesiredAccess=0x1) returned 0x421c98 [0028.304] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.304] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.305] GetLastError () returned 0x7a [0028.305] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x12e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0028.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0xa43c40, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 9 [0028.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="scardsvr", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="scardsvr", cchWideChar=8, lpMultiByteStr=0xa43c40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="scardsvr", lpUsedDefaultChar=0x0) returned 8 [0028.305] OpenServiceW (hSCManager=0x421ba8, lpServiceName="SCardSvr", dwDesiredAccess=0x1) returned 0x421d88 [0028.305] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.305] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.305] GetLastError () returned 0x7a [0028.305] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x164, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43c88, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="schedule", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="schedule", cchWideChar=8, lpMultiByteStr=0xa43c88, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="schedule", lpUsedDefaultChar=0x0) returned 8 [0028.306] OpenServiceW (hSCManager=0x421ba8, lpServiceName="Schedule", dwDesiredAccess=0x1) returned 0x421c70 [0028.306] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.306] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.306] GetLastError () returned 0x7a [0028.306] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x12e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43cd0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="scpolicysvc", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="scpolicysvc", cchWideChar=11, lpMultiByteStr=0xa43cd0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="scpolicysvc", lpUsedDefaultChar=0x0) returned 11 [0028.307] OpenServiceW (hSCManager=0x421ba8, lpServiceName="SCPolicySvc", dwDesiredAccess=0x1) returned 0x421d38 [0028.307] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.307] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.307] GetLastError () returned 0x7a [0028.307] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x116, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43d18, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sdrsvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sdrsvc", cchWideChar=6, lpMultiByteStr=0xa43d18, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sdrsvc", lpUsedDefaultChar=0x0) returned 6 [0028.307] OpenServiceW (hSCManager=0x421ba8, lpServiceName="SDRSVC", dwDesiredAccess=0x1) returned 0x421c98 [0028.307] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.308] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.308] GetLastError () returned 0x7a [0028.308] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0xfe, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43d60, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="seclogon", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="seclogon", cchWideChar=8, lpMultiByteStr=0xa43d60, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="seclogon", lpUsedDefaultChar=0x0) returned 8 [0028.308] OpenServiceW (hSCManager=0x421ba8, lpServiceName="seclogon", dwDesiredAccess=0x1) returned 0x421d88 [0028.308] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.308] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.308] GetLastError () returned 0x7a [0028.309] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0xf8, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.309] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.309] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43da8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.309] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sens", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0028.309] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sens", cchWideChar=4, lpMultiByteStr=0xa43da8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sens", lpUsedDefaultChar=0x0) returned 4 [0028.309] OpenServiceW (hSCManager=0x421ba8, lpServiceName="SENS", dwDesiredAccess=0x1) returned 0x421c70 [0028.309] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.309] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.309] GetLastError () returned 0x7a [0028.309] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x14c, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.309] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.309] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43df0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.310] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sensrsvc", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.310] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sensrsvc", cchWideChar=8, lpMultiByteStr=0xa43df0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sensrsvc", lpUsedDefaultChar=0x0) returned 8 [0028.310] OpenServiceW (hSCManager=0x421ba8, lpServiceName="SensrSvc", dwDesiredAccess=0x1) returned 0x421d38 [0028.310] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.310] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.310] GetLastError () returned 0x7a [0028.310] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x14a, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.310] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.310] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43e38, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.310] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sessionenv", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0028.310] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sessionenv", cchWideChar=10, lpMultiByteStr=0xa43e38, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sessionenv", lpUsedDefaultChar=0x0) returned 10 [0028.310] OpenServiceW (hSCManager=0x421ba8, lpServiceName="SessionEnv", dwDesiredAccess=0x1) returned 0x421c98 [0028.310] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.311] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.311] GetLastError () returned 0x7a [0028.311] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x140, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.311] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.311] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43e80, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.311] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sharedaccess", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0028.311] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sharedaccess", cchWideChar=12, lpMultiByteStr=0xa43e80, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sharedaccess", lpUsedDefaultChar=0x0) returned 12 [0028.311] OpenServiceW (hSCManager=0x421ba8, lpServiceName="SharedAccess", dwDesiredAccess=0x1) returned 0x421d88 [0028.311] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.311] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.311] GetLastError () returned 0x7a [0028.311] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x14e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.312] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.312] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43ec8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.312] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shellhwdetection", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0028.312] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shellhwdetection", cchWideChar=16, lpMultiByteStr=0xa43ec8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="shellhwdetection", lpUsedDefaultChar=0x0) returned 16 [0028.312] OpenServiceW (hSCManager=0x421ba8, lpServiceName="ShellHWDetection", dwDesiredAccess=0x1) returned 0x421c70 [0028.312] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.312] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.312] GetLastError () returned 0x7a [0028.312] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x12e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.312] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.312] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa43f10, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.312] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="snmptrap", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.313] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="snmptrap", cchWideChar=8, lpMultiByteStr=0xa43f10, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="snmptrap", lpUsedDefaultChar=0x0) returned 8 [0028.313] OpenServiceW (hSCManager=0x421ba8, lpServiceName="SNMPTRAP", dwDesiredAccess=0x1) returned 0x421d38 [0028.313] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.313] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.313] GetLastError () returned 0x7a [0028.313] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0xf4, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.313] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="snmptrap.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0028.313] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="snmptrap.exe", cchWideChar=12, lpMultiByteStr=0xa43f58, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="snmptrap.exe", lpUsedDefaultChar=0x0) returned 12 [0028.313] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spooler", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.313] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spooler", cchWideChar=7, lpMultiByteStr=0xa43f58, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spooler", lpUsedDefaultChar=0x0) returned 7 [0028.313] OpenServiceW (hSCManager=0x421ba8, lpServiceName="Spooler", dwDesiredAccess=0x1) returned 0x421c98 [0028.313] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.314] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.314] GetLastError () returned 0x7a [0028.314] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x10a, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.314] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.314] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0xa43fa0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spoolsv.exe", lpUsedDefaultChar=0x0) returned 11 [0028.314] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sppsvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.314] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sppsvc", cchWideChar=6, lpMultiByteStr=0xa43fa0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sppsvc", lpUsedDefaultChar=0x0) returned 6 [0028.314] OpenServiceW (hSCManager=0x421ba8, lpServiceName="sppsvc", dwDesiredAccess=0x1) returned 0x421d88 [0028.314] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.314] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.314] GetLastError () returned 0x7a [0028.314] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x112, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.315] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sppsvc.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0028.315] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sppsvc.exe", cchWideChar=10, lpMultiByteStr=0xa43fe8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sppsvc.exe", lpUsedDefaultChar=0x0) returned 10 [0028.315] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sppuinotify", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.315] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sppuinotify", cchWideChar=11, lpMultiByteStr=0xa43fe8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sppuinotify", lpUsedDefaultChar=0x0) returned 11 [0028.315] OpenServiceW (hSCManager=0x421ba8, lpServiceName="sppuinotify", dwDesiredAccess=0x1) returned 0x421c70 [0028.315] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.315] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.315] GetLastError () returned 0x7a [0028.315] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x146, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.315] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.315] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa44030, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.315] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ssdpsrv", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.315] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ssdpsrv", cchWideChar=7, lpMultiByteStr=0xa44030, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ssdpsrv", lpUsedDefaultChar=0x0) returned 7 [0028.316] OpenServiceW (hSCManager=0x421ba8, lpServiceName="SSDPSRV", dwDesiredAccess=0x1) returned 0x421d38 [0028.316] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.316] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.316] GetLastError () returned 0x7a [0028.316] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x148, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.316] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.316] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa44078, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.316] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sstpsvc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.316] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sstpsvc", cchWideChar=7, lpMultiByteStr=0xa44078, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sstpsvc", lpUsedDefaultChar=0x0) returned 7 [0028.316] OpenServiceW (hSCManager=0x421ba8, lpServiceName="SstpSvc", dwDesiredAccess=0x1) returned 0x421c98 [0028.316] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.316] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.317] GetLastError () returned 0x7a [0028.317] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x150, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.324] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.324] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa440c0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.324] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="stisvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.324] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="stisvc", cchWideChar=6, lpMultiByteStr=0xa440c0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="stisvc", lpUsedDefaultChar=0x0) returned 6 [0028.324] OpenServiceW (hSCManager=0x421ba8, lpServiceName="stisvc", dwDesiredAccess=0x1) returned 0x421d88 [0028.324] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.325] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.325] GetLastError () returned 0x7a [0028.325] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x15e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.325] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.325] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa44108, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.325] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="storsvc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.325] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="storsvc", cchWideChar=7, lpMultiByteStr=0xa44108, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="storsvc", lpUsedDefaultChar=0x0) returned 7 [0028.325] OpenServiceW (hSCManager=0x421ba8, lpServiceName="StorSvc", dwDesiredAccess=0x1) returned 0x421c70 [0028.325] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.325] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.325] GetLastError () returned 0x7a [0028.325] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x122, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.326] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.326] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa44150, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.326] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="swprv", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.326] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="swprv", cchWideChar=5, lpMultiByteStr=0xa44150, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="swprv", lpUsedDefaultChar=0x0) returned 5 [0028.326] OpenServiceW (hSCManager=0x421ba8, lpServiceName="swprv", dwDesiredAccess=0x1) returned 0x421d38 [0028.326] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.326] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.326] GetLastError () returned 0x7a [0028.326] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x12e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.326] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.326] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa44198, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.326] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sysmain", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.326] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sysmain", cchWideChar=7, lpMultiByteStr=0xa44198, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sysmain", lpUsedDefaultChar=0x0) returned 7 [0028.326] OpenServiceW (hSCManager=0x421ba8, lpServiceName="SysMain", dwDesiredAccess=0x1) returned 0x421c98 [0028.327] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.327] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.327] GetLastError () returned 0x7a [0028.327] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x134, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.327] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.327] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa441e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.327] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tabletinputservice", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0028.327] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tabletinputservice", cchWideChar=18, lpMultiByteStr=0xa441e0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tabletinputservice", lpUsedDefaultChar=0x0) returned 18 [0028.327] OpenServiceW (hSCManager=0x421ba8, lpServiceName="TabletInputService", dwDesiredAccess=0x1) returned 0x421d88 [0028.327] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.327] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.328] GetLastError () returned 0x7a [0028.328] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x15e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.328] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.328] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa44228, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.328] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tapisrv", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.328] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tapisrv", cchWideChar=7, lpMultiByteStr=0xa44228, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tapisrv", lpUsedDefaultChar=0x0) returned 7 [0028.328] OpenServiceW (hSCManager=0x421ba8, lpServiceName="TapiSrv", dwDesiredAccess=0x1) returned 0x421c70 [0028.328] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.328] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.328] GetLastError () returned 0x7a [0028.328] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x136, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.328] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.329] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa44270, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.329] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tbs", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.329] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tbs", cchWideChar=3, lpMultiByteStr=0xa44270, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tbs", lpUsedDefaultChar=0x0) returned 3 [0028.329] OpenServiceW (hSCManager=0x421ba8, lpServiceName="TBS", dwDesiredAccess=0x1) returned 0x421d38 [0028.329] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.329] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.329] GetLastError () returned 0x7a [0028.329] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x146, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.329] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.329] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa442b8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.329] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="termservice", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.329] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="termservice", cchWideChar=11, lpMultiByteStr=0xa442b8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="termservice", lpUsedDefaultChar=0x0) returned 11 [0028.329] OpenServiceW (hSCManager=0x421ba8, lpServiceName="TermService", dwDesiredAccess=0x1) returned 0x421c98 [0028.329] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.330] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.330] GetLastError () returned 0x7a [0028.330] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x14e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.330] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.330] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa44300, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.330] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="themes", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.330] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="themes", cchWideChar=6, lpMultiByteStr=0xa44300, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="themes", lpUsedDefaultChar=0x0) returned 6 [0028.330] OpenServiceW (hSCManager=0x421ba8, lpServiceName="Themes", dwDesiredAccess=0x1) returned 0x421d88 [0028.330] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.330] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.330] GetLastError () returned 0x7a [0028.330] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x100, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.331] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.331] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa44348, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0028.331] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="threadorder", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.331] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="threadorder", cchWideChar=11, lpMultiByteStr=0xa44348, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="threadorder", lpUsedDefaultChar=0x0) returned 11 [0028.331] OpenServiceW (hSCManager=0x421ba8, lpServiceName="THREADORDER", dwDesiredAccess=0x1) returned 0x421c70 [0028.331] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.331] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.331] GetLastError () returned 0x7a [0028.331] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x12c, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.331] OpenServiceW (hSCManager=0x421ba8, lpServiceName="TrkWks", dwDesiredAccess=0x1) returned 0x421d38 [0028.332] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.332] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.332] GetLastError () returned 0x7a [0028.332] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x14e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.332] OpenServiceW (hSCManager=0x421ba8, lpServiceName="TrustedInstaller", dwDesiredAccess=0x1) returned 0x421c98 [0028.332] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.332] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.332] GetLastError () returned 0x7a [0028.332] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x124, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.333] OpenServiceW (hSCManager=0x421ba8, lpServiceName="UI0Detect", dwDesiredAccess=0x1) returned 0x421d88 [0028.333] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.333] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.333] GetLastError () returned 0x7a [0028.333] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x104, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.333] OpenServiceW (hSCManager=0x421ba8, lpServiceName="UmRdpService", dwDesiredAccess=0x1) returned 0x421c70 [0028.333] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.333] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.334] GetLastError () returned 0x7a [0028.334] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x186, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.334] OpenServiceW (hSCManager=0x421ba8, lpServiceName="upnphost", dwDesiredAccess=0x1) returned 0x421d38 [0028.334] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.334] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.334] GetLastError () returned 0x7a [0028.334] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x15c, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.334] OpenServiceW (hSCManager=0x421ba8, lpServiceName="UxSms", dwDesiredAccess=0x1) returned 0x421c98 [0028.334] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.334] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.335] GetLastError () returned 0x7a [0028.335] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x15e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.335] OpenServiceW (hSCManager=0x421ba8, lpServiceName="VaultSvc", dwDesiredAccess=0x1) returned 0x421d88 [0028.335] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.335] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.335] GetLastError () returned 0x7a [0028.335] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0xee, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.335] OpenServiceW (hSCManager=0x421ba8, lpServiceName="vds", dwDesiredAccess=0x1) returned 0x421c70 [0028.336] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.336] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.336] GetLastError () returned 0x7a [0028.336] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0xf0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.336] OpenServiceW (hSCManager=0x421ba8, lpServiceName="VSS", dwDesiredAccess=0x1) returned 0x421d38 [0028.336] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.336] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.336] GetLastError () returned 0x7a [0028.336] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0xee, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.337] OpenServiceW (hSCManager=0x421ba8, lpServiceName="W32Time", dwDesiredAccess=0x1) returned 0x421c98 [0028.337] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.337] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.337] GetLastError () returned 0x7a [0028.337] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x118, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.337] OpenServiceW (hSCManager=0x421ba8, lpServiceName="wbengine", dwDesiredAccess=0x1) returned 0x421d88 [0028.337] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.337] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.338] GetLastError () returned 0x7a [0028.338] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x10c, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.338] OpenServiceW (hSCManager=0x421ba8, lpServiceName="WbioSrvc", dwDesiredAccess=0x1) returned 0x421c70 [0028.338] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.338] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.338] GetLastError () returned 0x7a [0028.338] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x15e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.338] OpenServiceW (hSCManager=0x421ba8, lpServiceName="wcncsvc", dwDesiredAccess=0x1) returned 0x421d38 [0028.338] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.339] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.339] GetLastError () returned 0x7a [0028.339] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x17a, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.339] OpenServiceW (hSCManager=0x421ba8, lpServiceName="WcsPlugInService", dwDesiredAccess=0x1) returned 0x421c98 [0028.339] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.339] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.339] GetLastError () returned 0x7a [0028.339] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x126, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.340] OpenServiceW (hSCManager=0x421ba8, lpServiceName="WdiServiceHost", dwDesiredAccess=0x1) returned 0x421d88 [0028.340] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.340] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.340] GetLastError () returned 0x7a [0028.340] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x12e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.340] OpenServiceW (hSCManager=0x421ba8, lpServiceName="WdiSystemHost", dwDesiredAccess=0x1) returned 0x421c70 [0028.340] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.340] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.340] GetLastError () returned 0x7a [0028.340] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x130, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.341] OpenServiceW (hSCManager=0x421ba8, lpServiceName="WebClient", dwDesiredAccess=0x1) returned 0x421d38 [0028.341] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.341] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.341] GetLastError () returned 0x7a [0028.341] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x13c, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.341] OpenServiceW (hSCManager=0x421ba8, lpServiceName="Wecsvc", dwDesiredAccess=0x1) returned 0x421c98 [0028.341] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.341] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.342] GetLastError () returned 0x7a [0028.342] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x150, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.342] OpenServiceW (hSCManager=0x421ba8, lpServiceName="wercplsupport", dwDesiredAccess=0x1) returned 0x421d88 [0028.342] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.342] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.342] GetLastError () returned 0x7a [0028.342] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x140, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.344] OpenServiceW (hSCManager=0x421ba8, lpServiceName="WerSvc", dwDesiredAccess=0x1) returned 0x421c70 [0028.344] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.344] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.344] GetLastError () returned 0x7a [0028.344] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x120, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.344] OpenServiceW (hSCManager=0x421ba8, lpServiceName="WinDefend", dwDesiredAccess=0x1) returned 0x421d38 [0028.344] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.345] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.345] GetLastError () returned 0x7a [0028.345] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x104, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.345] OpenServiceW (hSCManager=0x421ba8, lpServiceName="WinHttpAutoProxySvc", dwDesiredAccess=0x1) returned 0x421c98 [0028.345] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.345] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.345] GetLastError () returned 0x7a [0028.345] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x158, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.345] OpenServiceW (hSCManager=0x421ba8, lpServiceName="Winmgmt", dwDesiredAccess=0x1) returned 0x421d88 [0028.346] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.346] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.346] GetLastError () returned 0x7a [0028.346] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x128, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.346] OpenServiceW (hSCManager=0x421ba8, lpServiceName="WinRM", dwDesiredAccess=0x1) returned 0x421c70 [0028.346] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.346] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.346] GetLastError () returned 0x7a [0028.346] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x16e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.347] OpenServiceW (hSCManager=0x421ba8, lpServiceName="Wlansvc", dwDesiredAccess=0x1) returned 0x421d38 [0028.347] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.347] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.347] GetLastError () returned 0x7a [0028.347] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x16a, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.347] OpenServiceW (hSCManager=0x421ba8, lpServiceName="wmiApSrv", dwDesiredAccess=0x1) returned 0x421c98 [0028.347] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.347] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.348] GetLastError () returned 0x7a [0028.348] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0xfe, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.348] OpenServiceW (hSCManager=0x421ba8, lpServiceName="WMPNetworkSvc", dwDesiredAccess=0x1) returned 0x421d88 [0028.348] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.348] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.348] GetLastError () returned 0x7a [0028.348] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x16e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.348] OpenServiceW (hSCManager=0x421ba8, lpServiceName="WPCSvc", dwDesiredAccess=0x1) returned 0x421c70 [0028.348] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.349] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.349] GetLastError () returned 0x7a [0028.349] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x14e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.349] OpenServiceW (hSCManager=0x421ba8, lpServiceName="WPDBusEnum", dwDesiredAccess=0x1) returned 0x421d38 [0028.349] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.349] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.349] GetLastError () returned 0x7a [0028.349] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x152, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.349] OpenServiceW (hSCManager=0x421ba8, lpServiceName="wscsvc", dwDesiredAccess=0x1) returned 0x421c98 [0028.350] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.350] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.350] GetLastError () returned 0x7a [0028.350] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x15a, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.350] OpenServiceW (hSCManager=0x421ba8, lpServiceName="WSearch", dwDesiredAccess=0x1) returned 0x421d88 [0028.350] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.350] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.350] GetLastError () returned 0x7a [0028.350] QueryServiceConfigW (in: hService=0x421d88, lpServiceConfig=0x9b3558, cbBufSize=0x10c, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.351] OpenServiceW (hSCManager=0x421ba8, lpServiceName="wuauserv", dwDesiredAccess=0x1) returned 0x421c70 [0028.351] CloseServiceHandle (hSCObject=0x421d88) returned 1 [0028.351] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.351] GetLastError () returned 0x7a [0028.351] QueryServiceConfigW (in: hService=0x421c70, lpServiceConfig=0x9b3558, cbBufSize=0x100, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.351] OpenServiceW (hSCManager=0x421ba8, lpServiceName="wudfsvc", dwDesiredAccess=0x1) returned 0x421d38 [0028.351] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.351] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.352] GetLastError () returned 0x7a [0028.352] QueryServiceConfigW (in: hService=0x421d38, lpServiceConfig=0x9b3558, cbBufSize=0x19e, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.352] OpenServiceW (hSCManager=0x421ba8, lpServiceName="WwanSvc", dwDesiredAccess=0x1) returned 0x421c98 [0028.352] CloseServiceHandle (hSCObject=0x421d38) returned 1 [0028.352] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x2af454) returned 0 [0028.352] GetLastError () returned 0x7a [0028.352] QueryServiceConfigW (in: hService=0x421c98, lpServiceConfig=0x9b3558, cbBufSize=0x170, pcbBytesNeeded=0x2af454 | out: lpServiceConfig=0x9b3558, pcbBytesNeeded=0x2af454) returned 1 [0028.352] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.352] CryptAcquireContextW (in: phProv=0x2af498, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x2af498*=0x422510) returned 1 [0028.353] CryptGenRandom (in: hProv=0x422510, dwLen=0x4, pbBuffer=0x2af4ac | out: pbBuffer=0x2af4ac) returned 1 [0028.353] CryptReleaseContext (hProv=0x422510, dwFlags=0x0) returned 1 [0028.353] OpenServiceW (hSCManager=0x421ba8, lpServiceName="ose64", dwDesiredAccess=0x20) returned 0x421c70 [0028.353] ControlService (in: hService=0x421c70, dwControl=0x1, lpServiceStatus=0x2af404 | out: lpServiceStatus=0x2af404*(dwServiceType=0x10, dwCurrentState=0x1, dwControlsAccepted=0x0, dwWin32ExitCode=0x435, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 0 [0028.353] GetLastError () returned 0x426 [0028.353] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0028.354] SHRegDuplicateHKey (hkey=0x80000002) returned 0x80000002 [0028.354] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x0, lpName=0x9b73c0, cchName=0x104 | out: lpName="BCD00000000") returned 0x0 [0028.354] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bcd00000000", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.354] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bcd00000000", cchWideChar=11, lpMultiByteStr=0x9c1990, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bcd00000000", lpUsedDefaultChar=0x0) returned 11 [0028.354] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x1, lpName=0x9b73c0, cchName=0x104 | out: lpName="HARDWARE") returned 0x0 [0028.354] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hardware", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.354] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hardware", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hardware", lpUsedDefaultChar=0x0) returned 8 [0028.354] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x2, lpName=0x9b73c0, cchName=0x104 | out: lpName="SAM") returned 0x0 [0028.354] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sam", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.354] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sam", cchWideChar=3, lpMultiByteStr=0x9c1990, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sam", lpUsedDefaultChar=0x0) returned 3 [0028.354] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x3, lpName=0x9b73c0, cchName=0x104 | out: lpName="SECURITY") returned 0x0 [0028.354] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.354] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="security", lpUsedDefaultChar=0x0) returned 8 [0028.354] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x4, lpName=0x9b73c0, cchName=0x104 | out: lpName="SOFTWARE") returned 0x0 [0028.354] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.354] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="software", lpUsedDefaultChar=0x0) returned 8 [0028.354] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x5, lpName=0x9b73c0, cchName=0x104 | out: lpName="SYSTEM") returned 0x0 [0028.354] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="system", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.354] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="system", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="system", lpUsedDefaultChar=0x0) returned 6 [0028.354] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM", ulOptions=0x0, samDesired=0x20109, phkResult=0x2af3d0 | out: phkResult=0x2af3d0*=0x154) returned 0x0 [0028.354] RegCloseKey (hKey=0x80000002) returned 0x0 [0028.354] RegEnumKeyW (in: hKey=0x154, dwIndex=0x0, lpName=0x9b73c0, cchName=0x104 | out: lpName="ControlSet001") returned 0x0 [0028.354] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="controlset001", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0028.355] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="controlset001", cchWideChar=13, lpMultiByteStr=0x9c1990, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="controlset001", lpUsedDefaultChar=0x0) returned 13 [0028.355] RegEnumKeyW (in: hKey=0x154, dwIndex=0x1, lpName=0x9b73c0, cchName=0x104 | out: lpName="ControlSet002") returned 0x0 [0028.355] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="controlset002", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0028.355] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="controlset002", cchWideChar=13, lpMultiByteStr=0x9c19d8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="controlset002", lpUsedDefaultChar=0x0) returned 13 [0028.355] RegEnumKeyW (in: hKey=0x154, dwIndex=0x2, lpName=0x9b73c0, cchName=0x104 | out: lpName="MountedDevices") returned 0x0 [0028.355] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mounteddevices", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0028.355] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mounteddevices", cchWideChar=14, lpMultiByteStr=0x9c1990, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mounteddevices", lpUsedDefaultChar=0x0) returned 14 [0028.355] RegEnumKeyW (in: hKey=0x154, dwIndex=0x3, lpName=0x9b73c0, cchName=0x104 | out: lpName="RNG") returned 0x0 [0028.355] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rng", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.355] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rng", cchWideChar=3, lpMultiByteStr=0x9c19d8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rng", lpUsedDefaultChar=0x0) returned 3 [0028.355] RegEnumKeyW (in: hKey=0x154, dwIndex=0x4, lpName=0x9b73c0, cchName=0x104 | out: lpName="Select") returned 0x0 [0028.355] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="select", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.355] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="select", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="select", lpUsedDefaultChar=0x0) returned 6 [0028.355] RegEnumKeyW (in: hKey=0x154, dwIndex=0x5, lpName=0x9b73c0, cchName=0x104 | out: lpName="Setup") returned 0x0 [0028.355] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="setup", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.355] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="setup", cchWideChar=5, lpMultiByteStr=0x9c19d8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="setup", lpUsedDefaultChar=0x0) returned 5 [0028.355] RegEnumKeyW (in: hKey=0x154, dwIndex=0x6, lpName=0x9b73c0, cchName=0x104 | out: lpName="Software") returned 0x0 [0028.355] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.355] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="software", lpUsedDefaultChar=0x0) returned 8 [0028.355] RegEnumKeyW (in: hKey=0x154, dwIndex=0x7, lpName=0x9b73c0, cchName=0x104 | out: lpName="WPA") returned 0x0 [0028.355] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wpa", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.355] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wpa", cchWideChar=3, lpMultiByteStr=0x9c19d8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wpa", lpUsedDefaultChar=0x0) returned 3 [0028.355] RegEnumKeyW (in: hKey=0x154, dwIndex=0x8, lpName=0x9b73c0, cchName=0x104 | out: lpName="CurrentControlSet") returned 0x0 [0028.355] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="currentcontrolset", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0028.356] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="currentcontrolset", cchWideChar=17, lpMultiByteStr=0x9c1990, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="currentcontrolset", lpUsedDefaultChar=0x0) returned 17 [0028.356] RegOpenKeyExW (in: hKey=0x154, lpSubKey="CurrentControlSet", ulOptions=0x0, samDesired=0x20109, phkResult=0x2af3d0 | out: phkResult=0x2af3d0*=0xbc) returned 0x0 [0028.356] RegCloseKey (hKey=0x154) returned 0x0 [0028.356] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x0, lpName=0x9b73c0, cchName=0x104 | out: lpName="Control") returned 0x0 [0028.356] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="control", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.356] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="control", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="control", lpUsedDefaultChar=0x0) returned 7 [0028.356] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x1, lpName=0x9b73c0, cchName=0x104 | out: lpName="Enum") returned 0x0 [0028.356] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="enum", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0028.356] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="enum", cchWideChar=4, lpMultiByteStr=0x9c1990, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="enum", lpUsedDefaultChar=0x0) returned 4 [0028.356] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x2, lpName=0x9b73c0, cchName=0x104 | out: lpName="Hardware Profiles") returned 0x0 [0028.356] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hardware profiles", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0028.356] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hardware profiles", cchWideChar=17, lpMultiByteStr=0x9c19d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hardware profiles", lpUsedDefaultChar=0x0) returned 17 [0028.356] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x3, lpName=0x9b73c0, cchName=0x104 | out: lpName="Policies") returned 0x0 [0028.356] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="policies", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.356] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="policies", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="policies", lpUsedDefaultChar=0x0) returned 8 [0028.356] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x4, lpName=0x9b73c0, cchName=0x104 | out: lpName="services") returned 0x0 [0028.356] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.356] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="services", lpUsedDefaultChar=0x0) returned 8 [0028.356] RegOpenKeyExW (in: hKey=0xbc, lpSubKey="services", ulOptions=0x0, samDesired=0x20109, phkResult=0x2af3d0 | out: phkResult=0x2af3d0*=0x154) returned 0x0 [0028.356] RegCloseKey (hKey=0xbc) returned 0x0 [0028.356] RegEnumKeyW (in: hKey=0x154, dwIndex=0x0, lpName=0x9b73c0, cchName=0x104 | out: lpName=".NET CLR Data") returned 0x0 [0028.356] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net clr data", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0028.356] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net clr data", cchWideChar=13, lpMultiByteStr=0x9c1990, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".net clr data", lpUsedDefaultChar=0x0) returned 13 [0028.356] RegEnumKeyW (in: hKey=0x154, dwIndex=0x1, lpName=0x9b73c0, cchName=0x104 | out: lpName=".NET CLR Networking") returned 0x0 [0028.356] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net clr networking", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0028.357] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net clr networking", cchWideChar=19, lpMultiByteStr=0x9c19d8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".net clr networking", lpUsedDefaultChar=0x0) returned 19 [0028.357] RegEnumKeyW (in: hKey=0x154, dwIndex=0x2, lpName=0x9b73c0, cchName=0x104 | out: lpName=".NET CLR Networking 4.0.0.0") returned 0x0 [0028.357] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net clr networking 4.0.0.0", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0028.357] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net clr networking 4.0.0.0", cchWideChar=27, lpMultiByteStr=0x9c1990, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".net clr networking 4.0.0.0", lpUsedDefaultChar=0x0) returned 27 [0028.357] RegEnumKeyW (in: hKey=0x154, dwIndex=0x3, lpName=0x9b73c0, cchName=0x104 | out: lpName=".NET Data Provider for Oracle") returned 0x0 [0028.357] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net data provider for oracle", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0028.357] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net data provider for oracle", cchWideChar=29, lpMultiByteStr=0x9c19d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".net data provider for oracle", lpUsedDefaultChar=0x0) returned 29 [0028.357] RegEnumKeyW (in: hKey=0x154, dwIndex=0x4, lpName=0x9b73c0, cchName=0x104 | out: lpName=".NET Data Provider for SqlServer") returned 0x0 [0028.357] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net data provider for sqlserver", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0028.357] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net data provider for sqlserver", cchWideChar=32, lpMultiByteStr=0x9c1990, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".net data provider for sqlserver", lpUsedDefaultChar=0x0) returned 32 [0028.357] RegEnumKeyW (in: hKey=0x154, dwIndex=0x5, lpName=0x9b73c0, cchName=0x104 | out: lpName=".NET Memory Cache 4.0") returned 0x0 [0028.357] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net memory cache 4.0", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0028.357] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net memory cache 4.0", cchWideChar=21, lpMultiByteStr=0x9c19d8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".net memory cache 4.0", lpUsedDefaultChar=0x0) returned 21 [0028.357] RegEnumKeyW (in: hKey=0x154, dwIndex=0x6, lpName=0x9b73c0, cchName=0x104 | out: lpName=".NETFramework") returned 0x0 [0028.357] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".netframework", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0028.357] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".netframework", cchWideChar=13, lpMultiByteStr=0x9c1990, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".netframework", lpUsedDefaultChar=0x0) returned 13 [0028.357] RegEnumKeyW (in: hKey=0x154, dwIndex=0x7, lpName=0x9b73c0, cchName=0x104 | out: lpName="1394ohci") returned 0x0 [0028.357] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1394ohci", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.357] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1394ohci", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1394ohci", lpUsedDefaultChar=0x0) returned 8 [0028.357] RegEnumKeyW (in: hKey=0x154, dwIndex=0x8, lpName=0x9b73c0, cchName=0x104 | out: lpName="ACPI") returned 0x0 [0028.357] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="acpi", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0028.357] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="acpi", cchWideChar=4, lpMultiByteStr=0x9c1990, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="acpi", lpUsedDefaultChar=0x0) returned 4 [0028.357] RegEnumKeyW (in: hKey=0x154, dwIndex=0x9, lpName=0x9b73c0, cchName=0x104 | out: lpName="AcpiPmi") returned 0x0 [0028.357] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="acpipmi", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.357] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="acpipmi", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="acpipmi", lpUsedDefaultChar=0x0) returned 7 [0028.357] RegEnumKeyW (in: hKey=0x154, dwIndex=0xa, lpName=0x9b73c0, cchName=0x104 | out: lpName="AdobeFlashPlayerUpdateSvc") returned 0x0 [0028.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="adobeflashplayerupdatesvc", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0028.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="adobeflashplayerupdatesvc", cchWideChar=25, lpMultiByteStr=0x9c1990, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="adobeflashplayerupdatesvc", lpUsedDefaultChar=0x0) returned 25 [0028.358] RegEnumKeyW (in: hKey=0x154, dwIndex=0xb, lpName=0x9b73c0, cchName=0x104 | out: lpName="adp94xx") returned 0x0 [0028.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="adp94xx", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="adp94xx", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="adp94xx", lpUsedDefaultChar=0x0) returned 7 [0028.358] RegEnumKeyW (in: hKey=0x154, dwIndex=0xc, lpName=0x9b73c0, cchName=0x104 | out: lpName="adpahci") returned 0x0 [0028.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="adpahci", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="adpahci", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="adpahci", lpUsedDefaultChar=0x0) returned 7 [0028.358] RegEnumKeyW (in: hKey=0x154, dwIndex=0xd, lpName=0x9b73c0, cchName=0x104 | out: lpName="adpu320") returned 0x0 [0028.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="adpu320", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="adpu320", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="adpu320", lpUsedDefaultChar=0x0) returned 7 [0028.358] RegEnumKeyW (in: hKey=0x154, dwIndex=0xe, lpName=0x9b73c0, cchName=0x104 | out: lpName="adsi") returned 0x0 [0028.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="adsi", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0028.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="adsi", cchWideChar=4, lpMultiByteStr=0x9c1990, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="adsi", lpUsedDefaultChar=0x0) returned 4 [0028.358] RegEnumKeyW (in: hKey=0x154, dwIndex=0xf, lpName=0x9b73c0, cchName=0x104 | out: lpName="AeLookupSvc") returned 0x0 [0028.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aelookupsvc", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aelookupsvc", cchWideChar=11, lpMultiByteStr=0x9c19d8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aelookupsvc", lpUsedDefaultChar=0x0) returned 11 [0028.358] RegEnumKeyW (in: hKey=0x154, dwIndex=0x10, lpName=0x9b73c0, cchName=0x104 | out: lpName="AFD") returned 0x0 [0028.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="afd", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="afd", cchWideChar=3, lpMultiByteStr=0x9c1990, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="afd", lpUsedDefaultChar=0x0) returned 3 [0028.358] RegEnumKeyW (in: hKey=0x154, dwIndex=0x11, lpName=0x9b73c0, cchName=0x104 | out: lpName="agp440") returned 0x0 [0028.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="agp440", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="agp440", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="agp440", lpUsedDefaultChar=0x0) returned 6 [0028.358] RegEnumKeyW (in: hKey=0x154, dwIndex=0x12, lpName=0x9b73c0, cchName=0x104 | out: lpName="ALG") returned 0x0 [0028.358] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.359] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg", cchWideChar=3, lpMultiByteStr=0x9c1990, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="alg", lpUsedDefaultChar=0x0) returned 3 [0028.359] RegEnumKeyW (in: hKey=0x154, dwIndex=0x13, lpName=0x9b73c0, cchName=0x104 | out: lpName="aliide") returned 0x0 [0028.359] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aliide", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.359] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aliide", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aliide", lpUsedDefaultChar=0x0) returned 6 [0028.359] RegEnumKeyW (in: hKey=0x154, dwIndex=0x14, lpName=0x9b73c0, cchName=0x104 | out: lpName="amdide") returned 0x0 [0028.359] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amdide", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.359] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amdide", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="amdide", lpUsedDefaultChar=0x0) returned 6 [0028.359] RegEnumKeyW (in: hKey=0x154, dwIndex=0x15, lpName=0x9b73c0, cchName=0x104 | out: lpName="AmdK8") returned 0x0 [0028.359] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amdk8", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.359] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amdk8", cchWideChar=5, lpMultiByteStr=0x9c19d8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="amdk8", lpUsedDefaultChar=0x0) returned 5 [0028.359] RegEnumKeyW (in: hKey=0x154, dwIndex=0x16, lpName=0x9b73c0, cchName=0x104 | out: lpName="AmdPPM") returned 0x0 [0028.359] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amdppm", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.359] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amdppm", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="amdppm", lpUsedDefaultChar=0x0) returned 6 [0028.359] RegEnumKeyW (in: hKey=0x154, dwIndex=0x17, lpName=0x9b73c0, cchName=0x104 | out: lpName="amdsata") returned 0x0 [0028.359] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amdsata", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.359] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amdsata", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="amdsata", lpUsedDefaultChar=0x0) returned 7 [0028.359] RegEnumKeyW (in: hKey=0x154, dwIndex=0x18, lpName=0x9b73c0, cchName=0x104 | out: lpName="amdsbs") returned 0x0 [0028.359] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amdsbs", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.359] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amdsbs", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="amdsbs", lpUsedDefaultChar=0x0) returned 6 [0028.359] RegEnumKeyW (in: hKey=0x154, dwIndex=0x19, lpName=0x9b73c0, cchName=0x104 | out: lpName="amdxata") returned 0x0 [0028.359] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amdxata", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.359] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amdxata", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="amdxata", lpUsedDefaultChar=0x0) returned 7 [0028.359] RegEnumKeyW (in: hKey=0x154, dwIndex=0x1a, lpName=0x9b73c0, cchName=0x104 | out: lpName="AppID") returned 0x0 [0028.359] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appid", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appid", cchWideChar=5, lpMultiByteStr=0x9c1990, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="appid", lpUsedDefaultChar=0x0) returned 5 [0028.360] RegEnumKeyW (in: hKey=0x154, dwIndex=0x1b, lpName=0x9b73c0, cchName=0x104 | out: lpName="AppIDSvc") returned 0x0 [0028.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appidsvc", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appidsvc", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="appidsvc", lpUsedDefaultChar=0x0) returned 8 [0028.360] RegEnumKeyW (in: hKey=0x154, dwIndex=0x1c, lpName=0x9b73c0, cchName=0x104 | out: lpName="Appinfo") returned 0x0 [0028.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appinfo", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appinfo", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="appinfo", lpUsedDefaultChar=0x0) returned 7 [0028.360] RegEnumKeyW (in: hKey=0x154, dwIndex=0x1d, lpName=0x9b73c0, cchName=0x104 | out: lpName="AppMgmt") returned 0x0 [0028.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appmgmt", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appmgmt", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="appmgmt", lpUsedDefaultChar=0x0) returned 7 [0028.360] RegEnumKeyW (in: hKey=0x154, dwIndex=0x1e, lpName=0x9b73c0, cchName=0x104 | out: lpName="arc") returned 0x0 [0028.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="arc", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="arc", cchWideChar=3, lpMultiByteStr=0x9c1990, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="arc", lpUsedDefaultChar=0x0) returned 3 [0028.360] RegEnumKeyW (in: hKey=0x154, dwIndex=0x1f, lpName=0x9b73c0, cchName=0x104 | out: lpName="arcsas") returned 0x0 [0028.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="arcsas", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="arcsas", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="arcsas", lpUsedDefaultChar=0x0) returned 6 [0028.360] RegEnumKeyW (in: hKey=0x154, dwIndex=0x20, lpName=0x9b73c0, cchName=0x104 | out: lpName="ASP.NET") returned 0x0 [0028.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="asp.net", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="asp.net", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="asp.net", lpUsedDefaultChar=0x0) returned 7 [0028.360] RegEnumKeyW (in: hKey=0x154, dwIndex=0x21, lpName=0x9b73c0, cchName=0x104 | out: lpName="ASP.NET_4.0.30319") returned 0x0 [0028.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="asp.net_4.0.30319", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0028.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="asp.net_4.0.30319", cchWideChar=17, lpMultiByteStr=0x9c19d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="asp.net_4.0.30319", lpUsedDefaultChar=0x0) returned 17 [0028.360] RegEnumKeyW (in: hKey=0x154, dwIndex=0x22, lpName=0x9b73c0, cchName=0x104 | out: lpName="aspnet_state") returned 0x0 [0028.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aspnet_state", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0028.360] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aspnet_state", cchWideChar=12, lpMultiByteStr=0x9c1990, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aspnet_state", lpUsedDefaultChar=0x0) returned 12 [0028.360] RegEnumKeyW (in: hKey=0x154, dwIndex=0x23, lpName=0x9b73c0, cchName=0x104 | out: lpName="AsyncMac") returned 0x0 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="asyncmac", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="asyncmac", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="asyncmac", lpUsedDefaultChar=0x0) returned 8 [0028.361] RegEnumKeyW (in: hKey=0x154, dwIndex=0x24, lpName=0x9b73c0, cchName=0x104 | out: lpName="atapi") returned 0x0 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="atapi", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="atapi", cchWideChar=5, lpMultiByteStr=0x9c1990, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="atapi", lpUsedDefaultChar=0x0) returned 5 [0028.361] RegEnumKeyW (in: hKey=0x154, dwIndex=0x25, lpName=0x9b73c0, cchName=0x104 | out: lpName="AudioEndpointBuilder") returned 0x0 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audioendpointbuilder", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audioendpointbuilder", cchWideChar=20, lpMultiByteStr=0x9c19d8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audioendpointbuilder", lpUsedDefaultChar=0x0) returned 20 [0028.361] RegEnumKeyW (in: hKey=0x154, dwIndex=0x26, lpName=0x9b73c0, cchName=0x104 | out: lpName="AudioSrv") returned 0x0 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiosrv", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiosrv", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audiosrv", lpUsedDefaultChar=0x0) returned 8 [0028.361] RegEnumKeyW (in: hKey=0x154, dwIndex=0x27, lpName=0x9b73c0, cchName=0x104 | out: lpName="AxInstSV") returned 0x0 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="axinstsv", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="axinstsv", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="axinstsv", lpUsedDefaultChar=0x0) returned 8 [0028.361] RegEnumKeyW (in: hKey=0x154, dwIndex=0x28, lpName=0x9b73c0, cchName=0x104 | out: lpName="b06bdrv") returned 0x0 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="b06bdrv", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="b06bdrv", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="b06bdrv", lpUsedDefaultChar=0x0) returned 7 [0028.361] RegEnumKeyW (in: hKey=0x154, dwIndex=0x29, lpName=0x9b73c0, cchName=0x104 | out: lpName="b57nd60a") returned 0x0 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="b57nd60a", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="b57nd60a", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="b57nd60a", lpUsedDefaultChar=0x0) returned 8 [0028.361] RegEnumKeyW (in: hKey=0x154, dwIndex=0x2a, lpName=0x9b73c0, cchName=0x104 | out: lpName="BattC") returned 0x0 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="battc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="battc", cchWideChar=5, lpMultiByteStr=0x9c1990, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="battc", lpUsedDefaultChar=0x0) returned 5 [0028.361] RegEnumKeyW (in: hKey=0x154, dwIndex=0x2b, lpName=0x9b73c0, cchName=0x104 | out: lpName="BDESVC") returned 0x0 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bdesvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.361] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bdesvc", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bdesvc", lpUsedDefaultChar=0x0) returned 6 [0028.362] RegEnumKeyW (in: hKey=0x154, dwIndex=0x2c, lpName=0x9b73c0, cchName=0x104 | out: lpName="Beep") returned 0x0 [0028.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="beep", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0028.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="beep", cchWideChar=4, lpMultiByteStr=0x9c1990, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="beep", lpUsedDefaultChar=0x0) returned 4 [0028.362] RegEnumKeyW (in: hKey=0x154, dwIndex=0x2d, lpName=0x9b73c0, cchName=0x104 | out: lpName="BFE") returned 0x0 [0028.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bfe", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bfe", cchWideChar=3, lpMultiByteStr=0x9c19d8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bfe", lpUsedDefaultChar=0x0) returned 3 [0028.362] RegEnumKeyW (in: hKey=0x154, dwIndex=0x2e, lpName=0x9b73c0, cchName=0x104 | out: lpName="BITS") returned 0x0 [0028.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bits", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0028.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bits", cchWideChar=4, lpMultiByteStr=0x9c1990, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bits", lpUsedDefaultChar=0x0) returned 4 [0028.362] RegEnumKeyW (in: hKey=0x154, dwIndex=0x2f, lpName=0x9b73c0, cchName=0x104 | out: lpName="blbdrive") returned 0x0 [0028.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="blbdrive", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="blbdrive", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="blbdrive", lpUsedDefaultChar=0x0) returned 8 [0028.362] RegEnumKeyW (in: hKey=0x154, dwIndex=0x30, lpName=0x9b73c0, cchName=0x104 | out: lpName="bowser") returned 0x0 [0028.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bowser", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bowser", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bowser", lpUsedDefaultChar=0x0) returned 6 [0028.362] RegEnumKeyW (in: hKey=0x154, dwIndex=0x31, lpName=0x9b73c0, cchName=0x104 | out: lpName="BrFiltLo") returned 0x0 [0028.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="brfiltlo", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="brfiltlo", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="brfiltlo", lpUsedDefaultChar=0x0) returned 8 [0028.362] RegEnumKeyW (in: hKey=0x154, dwIndex=0x32, lpName=0x9b73c0, cchName=0x104 | out: lpName="BrFiltUp") returned 0x0 [0028.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="brfiltup", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="brfiltup", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="brfiltup", lpUsedDefaultChar=0x0) returned 8 [0028.362] RegEnumKeyW (in: hKey=0x154, dwIndex=0x33, lpName=0x9b73c0, cchName=0x104 | out: lpName="Browser") returned 0x0 [0028.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="browser", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="browser", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="browser", lpUsedDefaultChar=0x0) returned 7 [0028.362] RegEnumKeyW (in: hKey=0x154, dwIndex=0x34, lpName=0x9b73c0, cchName=0x104 | out: lpName="Brserid") returned 0x0 [0028.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="brserid", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="brserid", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="brserid", lpUsedDefaultChar=0x0) returned 7 [0028.363] RegEnumKeyW (in: hKey=0x154, dwIndex=0x35, lpName=0x9b73c0, cchName=0x104 | out: lpName="BrSerWdm") returned 0x0 [0028.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="brserwdm", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="brserwdm", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="brserwdm", lpUsedDefaultChar=0x0) returned 8 [0028.363] RegEnumKeyW (in: hKey=0x154, dwIndex=0x36, lpName=0x9b73c0, cchName=0x104 | out: lpName="BrUsbMdm") returned 0x0 [0028.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="brusbmdm", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="brusbmdm", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="brusbmdm", lpUsedDefaultChar=0x0) returned 8 [0028.363] RegEnumKeyW (in: hKey=0x154, dwIndex=0x37, lpName=0x9b73c0, cchName=0x104 | out: lpName="BrUsbSer") returned 0x0 [0028.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="brusbser", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="brusbser", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="brusbser", lpUsedDefaultChar=0x0) returned 8 [0028.363] RegEnumKeyW (in: hKey=0x154, dwIndex=0x38, lpName=0x9b73c0, cchName=0x104 | out: lpName="BTHMODEM") returned 0x0 [0028.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bthmodem", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bthmodem", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bthmodem", lpUsedDefaultChar=0x0) returned 8 [0028.363] RegEnumKeyW (in: hKey=0x154, dwIndex=0x39, lpName=0x9b73c0, cchName=0x104 | out: lpName="BTHPORT") returned 0x0 [0028.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bthport", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bthport", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bthport", lpUsedDefaultChar=0x0) returned 7 [0028.363] RegEnumKeyW (in: hKey=0x154, dwIndex=0x3a, lpName=0x9b73c0, cchName=0x104 | out: lpName="bthserv") returned 0x0 [0028.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bthserv", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bthserv", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bthserv", lpUsedDefaultChar=0x0) returned 7 [0028.363] RegEnumKeyW (in: hKey=0x154, dwIndex=0x3b, lpName=0x9b73c0, cchName=0x104 | out: lpName="cdfs") returned 0x0 [0028.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cdfs", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0028.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cdfs", cchWideChar=4, lpMultiByteStr=0x9c19d8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cdfs", lpUsedDefaultChar=0x0) returned 4 [0028.363] RegEnumKeyW (in: hKey=0x154, dwIndex=0x3c, lpName=0x9b73c0, cchName=0x104 | out: lpName="cdrom") returned 0x0 [0028.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cdrom", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.363] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cdrom", cchWideChar=5, lpMultiByteStr=0x9c1990, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cdrom", lpUsedDefaultChar=0x0) returned 5 [0028.364] RegEnumKeyW (in: hKey=0x154, dwIndex=0x3d, lpName=0x9b73c0, cchName=0x104 | out: lpName="CertPropSvc") returned 0x0 [0028.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="certpropsvc", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="certpropsvc", cchWideChar=11, lpMultiByteStr=0x9c19d8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="certpropsvc", lpUsedDefaultChar=0x0) returned 11 [0028.364] RegEnumKeyW (in: hKey=0x154, dwIndex=0x3e, lpName=0x9b73c0, cchName=0x104 | out: lpName="circlass") returned 0x0 [0028.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="circlass", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="circlass", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="circlass", lpUsedDefaultChar=0x0) returned 8 [0028.364] RegEnumKeyW (in: hKey=0x154, dwIndex=0x3f, lpName=0x9b73c0, cchName=0x104 | out: lpName="CLFS") returned 0x0 [0028.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clfs", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0028.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clfs", cchWideChar=4, lpMultiByteStr=0x9c19d8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clfs", lpUsedDefaultChar=0x0) returned 4 [0028.364] RegEnumKeyW (in: hKey=0x154, dwIndex=0x40, lpName=0x9b73c0, cchName=0x104 | out: lpName="clr_optimization_v2.0.50727_32") returned 0x0 [0028.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v2.0.50727_32", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0028.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v2.0.50727_32", cchWideChar=30, lpMultiByteStr=0x9c1990, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clr_optimization_v2.0.50727_32", lpUsedDefaultChar=0x0) returned 30 [0028.364] RegEnumKeyW (in: hKey=0x154, dwIndex=0x41, lpName=0x9b73c0, cchName=0x104 | out: lpName="clr_optimization_v2.0.50727_64") returned 0x0 [0028.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v2.0.50727_64", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0028.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v2.0.50727_64", cchWideChar=30, lpMultiByteStr=0x9c19d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clr_optimization_v2.0.50727_64", lpUsedDefaultChar=0x0) returned 30 [0028.364] RegEnumKeyW (in: hKey=0x154, dwIndex=0x42, lpName=0x9b73c0, cchName=0x104 | out: lpName="clr_optimization_v4.0.30319_32") returned 0x0 [0028.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v4.0.30319_32", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0028.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v4.0.30319_32", cchWideChar=30, lpMultiByteStr=0x9c1990, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clr_optimization_v4.0.30319_32", lpUsedDefaultChar=0x0) returned 30 [0028.364] RegEnumKeyW (in: hKey=0x154, dwIndex=0x43, lpName=0x9b73c0, cchName=0x104 | out: lpName="clr_optimization_v4.0.30319_64") returned 0x0 [0028.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v4.0.30319_64", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0028.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v4.0.30319_64", cchWideChar=30, lpMultiByteStr=0x9c19d8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clr_optimization_v4.0.30319_64", lpUsedDefaultChar=0x0) returned 30 [0028.364] RegEnumKeyW (in: hKey=0x154, dwIndex=0x44, lpName=0x9b73c0, cchName=0x104 | out: lpName="CmBatt") returned 0x0 [0028.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cmbatt", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cmbatt", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cmbatt", lpUsedDefaultChar=0x0) returned 6 [0028.364] RegEnumKeyW (in: hKey=0x154, dwIndex=0x45, lpName=0x9b73c0, cchName=0x104 | out: lpName="cmdide") returned 0x0 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cmdide", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cmdide", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cmdide", lpUsedDefaultChar=0x0) returned 6 [0028.365] RegEnumKeyW (in: hKey=0x154, dwIndex=0x46, lpName=0x9b73c0, cchName=0x104 | out: lpName="CNG") returned 0x0 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cng", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cng", cchWideChar=3, lpMultiByteStr=0x9c1990, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cng", lpUsedDefaultChar=0x0) returned 3 [0028.365] RegEnumKeyW (in: hKey=0x154, dwIndex=0x47, lpName=0x9b73c0, cchName=0x104 | out: lpName="Compbatt") returned 0x0 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="compbatt", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="compbatt", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="compbatt", lpUsedDefaultChar=0x0) returned 8 [0028.365] RegEnumKeyW (in: hKey=0x154, dwIndex=0x48, lpName=0x9b73c0, cchName=0x104 | out: lpName="CompositeBus") returned 0x0 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="compositebus", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="compositebus", cchWideChar=12, lpMultiByteStr=0x9c1990, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="compositebus", lpUsedDefaultChar=0x0) returned 12 [0028.365] RegEnumKeyW (in: hKey=0x154, dwIndex=0x49, lpName=0x9b73c0, cchName=0x104 | out: lpName="COMSysApp") returned 0x0 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="comsysapp", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="comsysapp", cchWideChar=9, lpMultiByteStr=0x9c19d8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="comsysapp", lpUsedDefaultChar=0x0) returned 9 [0028.365] RegEnumKeyW (in: hKey=0x154, dwIndex=0x4a, lpName=0x9b73c0, cchName=0x104 | out: lpName="crcdisk") returned 0x0 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="crcdisk", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="crcdisk", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="crcdisk", lpUsedDefaultChar=0x0) returned 7 [0028.365] RegEnumKeyW (in: hKey=0x154, dwIndex=0x4b, lpName=0x9b73c0, cchName=0x104 | out: lpName="crypt32") returned 0x0 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="crypt32", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="crypt32", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="crypt32", lpUsedDefaultChar=0x0) returned 7 [0028.365] RegEnumKeyW (in: hKey=0x154, dwIndex=0x4c, lpName=0x9b73c0, cchName=0x104 | out: lpName="CryptSvc") returned 0x0 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cryptsvc", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cryptsvc", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cryptsvc", lpUsedDefaultChar=0x0) returned 8 [0028.365] RegEnumKeyW (in: hKey=0x154, dwIndex=0x4d, lpName=0x9b73c0, cchName=0x104 | out: lpName="CSC") returned 0x0 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csc", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csc", cchWideChar=3, lpMultiByteStr=0x9c19d8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csc", lpUsedDefaultChar=0x0) returned 3 [0028.365] RegEnumKeyW (in: hKey=0x154, dwIndex=0x4e, lpName=0x9b73c0, cchName=0x104 | out: lpName="CscService") returned 0x0 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cscservice", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cscservice", cchWideChar=10, lpMultiByteStr=0x9c1990, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cscservice", lpUsedDefaultChar=0x0) returned 10 [0028.366] RegEnumKeyW (in: hKey=0x154, dwIndex=0x4f, lpName=0x9b73c0, cchName=0x104 | out: lpName="DCLocator") returned 0x0 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dclocator", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dclocator", cchWideChar=9, lpMultiByteStr=0x9c19d8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dclocator", lpUsedDefaultChar=0x0) returned 9 [0028.366] RegEnumKeyW (in: hKey=0x154, dwIndex=0x50, lpName=0x9b73c0, cchName=0x104 | out: lpName="DcomLaunch") returned 0x0 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dcomlaunch", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dcomlaunch", cchWideChar=10, lpMultiByteStr=0x9c1990, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dcomlaunch", lpUsedDefaultChar=0x0) returned 10 [0028.366] RegEnumKeyW (in: hKey=0x154, dwIndex=0x51, lpName=0x9b73c0, cchName=0x104 | out: lpName="defragsvc") returned 0x0 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="defragsvc", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="defragsvc", cchWideChar=9, lpMultiByteStr=0x9c19d8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="defragsvc", lpUsedDefaultChar=0x0) returned 9 [0028.366] RegEnumKeyW (in: hKey=0x154, dwIndex=0x52, lpName=0x9b73c0, cchName=0x104 | out: lpName="DfsC") returned 0x0 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfsc", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfsc", cchWideChar=4, lpMultiByteStr=0x9c1990, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dfsc", lpUsedDefaultChar=0x0) returned 4 [0028.366] RegEnumKeyW (in: hKey=0x154, dwIndex=0x53, lpName=0x9b73c0, cchName=0x104 | out: lpName="Dhcp") returned 0x0 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dhcp", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dhcp", cchWideChar=4, lpMultiByteStr=0x9c19d8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dhcp", lpUsedDefaultChar=0x0) returned 4 [0028.366] RegEnumKeyW (in: hKey=0x154, dwIndex=0x54, lpName=0x9b73c0, cchName=0x104 | out: lpName="DiagTrack") returned 0x0 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="diagtrack", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="diagtrack", cchWideChar=9, lpMultiByteStr=0x9c1990, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="diagtrack", lpUsedDefaultChar=0x0) returned 9 [0028.366] RegEnumKeyW (in: hKey=0x154, dwIndex=0x55, lpName=0x9b73c0, cchName=0x104 | out: lpName="discache") returned 0x0 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="discache", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="discache", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="discache", lpUsedDefaultChar=0x0) returned 8 [0028.366] RegEnumKeyW (in: hKey=0x154, dwIndex=0x56, lpName=0x9b73c0, cchName=0x104 | out: lpName="Disk") returned 0x0 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="disk", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0028.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="disk", cchWideChar=4, lpMultiByteStr=0x9c1990, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="disk", lpUsedDefaultChar=0x0) returned 4 [0028.367] RegEnumKeyW (in: hKey=0x154, dwIndex=0x57, lpName=0x9b73c0, cchName=0x104 | out: lpName="dmvsc") returned 0x0 [0028.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dmvsc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dmvsc", cchWideChar=5, lpMultiByteStr=0x9c19d8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dmvsc", lpUsedDefaultChar=0x0) returned 5 [0028.367] RegEnumKeyW (in: hKey=0x154, dwIndex=0x58, lpName=0x9b73c0, cchName=0x104 | out: lpName="Dnscache") returned 0x0 [0028.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dnscache", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dnscache", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dnscache", lpUsedDefaultChar=0x0) returned 8 [0028.367] RegEnumKeyW (in: hKey=0x154, dwIndex=0x59, lpName=0x9b73c0, cchName=0x104 | out: lpName="dot3svc") returned 0x0 [0028.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dot3svc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dot3svc", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dot3svc", lpUsedDefaultChar=0x0) returned 7 [0028.367] RegEnumKeyW (in: hKey=0x154, dwIndex=0x5a, lpName=0x9b73c0, cchName=0x104 | out: lpName="DPS") returned 0x0 [0028.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dps", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dps", cchWideChar=3, lpMultiByteStr=0x9c1990, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dps", lpUsedDefaultChar=0x0) returned 3 [0028.367] RegEnumKeyW (in: hKey=0x154, dwIndex=0x5b, lpName=0x9b73c0, cchName=0x104 | out: lpName="drmkaud") returned 0x0 [0028.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="drmkaud", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="drmkaud", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="drmkaud", lpUsedDefaultChar=0x0) returned 7 [0028.367] RegEnumKeyW (in: hKey=0x154, dwIndex=0x5c, lpName=0x9b73c0, cchName=0x104 | out: lpName="DXGKrnl") returned 0x0 [0028.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dxgkrnl", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dxgkrnl", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dxgkrnl", lpUsedDefaultChar=0x0) returned 7 [0028.367] RegEnumKeyW (in: hKey=0x154, dwIndex=0x5d, lpName=0x9b73c0, cchName=0x104 | out: lpName="E1G60") returned 0x0 [0028.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="e1g60", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="e1g60", cchWideChar=5, lpMultiByteStr=0x9c19d8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="e1g60", lpUsedDefaultChar=0x0) returned 5 [0028.367] RegEnumKeyW (in: hKey=0x154, dwIndex=0x5e, lpName=0x9b73c0, cchName=0x104 | out: lpName="EapHost") returned 0x0 [0028.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eaphost", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eaphost", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eaphost", lpUsedDefaultChar=0x0) returned 7 [0028.368] RegEnumKeyW (in: hKey=0x154, dwIndex=0x5f, lpName=0x9b73c0, cchName=0x104 | out: lpName="ebdrv") returned 0x0 [0028.368] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ebdrv", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.368] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ebdrv", cchWideChar=5, lpMultiByteStr=0x9c19d8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ebdrv", lpUsedDefaultChar=0x0) returned 5 [0028.368] RegEnumKeyW (in: hKey=0x154, dwIndex=0x60, lpName=0x9b73c0, cchName=0x104 | out: lpName="EFS") returned 0x0 [0028.368] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="efs", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.368] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="efs", cchWideChar=3, lpMultiByteStr=0x9c1990, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="efs", lpUsedDefaultChar=0x0) returned 3 [0028.368] RegEnumKeyW (in: hKey=0x154, dwIndex=0x61, lpName=0x9b73c0, cchName=0x104 | out: lpName="ehRecvr") returned 0x0 [0028.368] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehrecvr", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.368] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehrecvr", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ehrecvr", lpUsedDefaultChar=0x0) returned 7 [0028.368] RegEnumKeyW (in: hKey=0x154, dwIndex=0x62, lpName=0x9b73c0, cchName=0x104 | out: lpName="ehSched") returned 0x0 [0028.368] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehsched", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.368] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehsched", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ehsched", lpUsedDefaultChar=0x0) returned 7 [0028.368] RegEnumKeyW (in: hKey=0x154, dwIndex=0x63, lpName=0x9b73c0, cchName=0x104 | out: lpName="elxstor") returned 0x0 [0028.368] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="elxstor", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.368] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="elxstor", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="elxstor", lpUsedDefaultChar=0x0) returned 7 [0028.368] RegEnumKeyW (in: hKey=0x154, dwIndex=0x64, lpName=0x9b73c0, cchName=0x104 | out: lpName="ErrDev") returned 0x0 [0028.368] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="errdev", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.368] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="errdev", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="errdev", lpUsedDefaultChar=0x0) returned 6 [0028.368] RegEnumKeyW (in: hKey=0x154, dwIndex=0x65, lpName=0x9b73c0, cchName=0x104 | out: lpName="ESENT") returned 0x0 [0028.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="esent", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="esent", cchWideChar=5, lpMultiByteStr=0x9c19d8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="esent", lpUsedDefaultChar=0x0) returned 5 [0028.369] RegEnumKeyW (in: hKey=0x154, dwIndex=0x66, lpName=0x9b73c0, cchName=0x104 | out: lpName="eventlog") returned 0x0 [0028.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventlog", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventlog", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eventlog", lpUsedDefaultChar=0x0) returned 8 [0028.369] RegEnumKeyW (in: hKey=0x154, dwIndex=0x67, lpName=0x9b73c0, cchName=0x104 | out: lpName="EventSystem") returned 0x0 [0028.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventsystem", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventsystem", cchWideChar=11, lpMultiByteStr=0x9c19d8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eventsystem", lpUsedDefaultChar=0x0) returned 11 [0028.369] RegEnumKeyW (in: hKey=0x154, dwIndex=0x68, lpName=0x9b73c0, cchName=0x104 | out: lpName="exfat") returned 0x0 [0028.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="exfat", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="exfat", cchWideChar=5, lpMultiByteStr=0x9c1990, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="exfat", lpUsedDefaultChar=0x0) returned 5 [0028.369] RegEnumKeyW (in: hKey=0x154, dwIndex=0x69, lpName=0x9b73c0, cchName=0x104 | out: lpName="fastfat") returned 0x0 [0028.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fastfat", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fastfat", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fastfat", lpUsedDefaultChar=0x0) returned 7 [0028.369] RegEnumKeyW (in: hKey=0x154, dwIndex=0x6a, lpName=0x9b73c0, cchName=0x104 | out: lpName="Fax") returned 0x0 [0028.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fax", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fax", cchWideChar=3, lpMultiByteStr=0x9c1990, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fax", lpUsedDefaultChar=0x0) returned 3 [0028.369] RegEnumKeyW (in: hKey=0x154, dwIndex=0x6b, lpName=0x9b73c0, cchName=0x104 | out: lpName="fdc") returned 0x0 [0028.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fdc", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fdc", cchWideChar=3, lpMultiByteStr=0x9c19d8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fdc", lpUsedDefaultChar=0x0) returned 3 [0028.369] RegEnumKeyW (in: hKey=0x154, dwIndex=0x6c, lpName=0x9b73c0, cchName=0x104 | out: lpName="fdPHost") returned 0x0 [0028.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fdphost", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fdphost", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fdphost", lpUsedDefaultChar=0x0) returned 7 [0028.369] RegEnumKeyW (in: hKey=0x154, dwIndex=0x6d, lpName=0x9b73c0, cchName=0x104 | out: lpName="FDResPub") returned 0x0 [0028.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fdrespub", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fdrespub", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fdrespub", lpUsedDefaultChar=0x0) returned 8 [0028.370] RegEnumKeyW (in: hKey=0x154, dwIndex=0x6e, lpName=0x9b73c0, cchName=0x104 | out: lpName="FileInfo") returned 0x0 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fileinfo", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fileinfo", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fileinfo", lpUsedDefaultChar=0x0) returned 8 [0028.370] RegEnumKeyW (in: hKey=0x154, dwIndex=0x6f, lpName=0x9b73c0, cchName=0x104 | out: lpName="Filetrace") returned 0x0 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="filetrace", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="filetrace", cchWideChar=9, lpMultiByteStr=0x9c19d8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="filetrace", lpUsedDefaultChar=0x0) returned 9 [0028.370] RegEnumKeyW (in: hKey=0x154, dwIndex=0x70, lpName=0x9b73c0, cchName=0x104 | out: lpName="flpydisk") returned 0x0 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="flpydisk", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="flpydisk", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="flpydisk", lpUsedDefaultChar=0x0) returned 8 [0028.370] RegEnumKeyW (in: hKey=0x154, dwIndex=0x71, lpName=0x9b73c0, cchName=0x104 | out: lpName="FltMgr") returned 0x0 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fltmgr", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fltmgr", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fltmgr", lpUsedDefaultChar=0x0) returned 6 [0028.370] RegEnumKeyW (in: hKey=0x154, dwIndex=0x72, lpName=0x9b73c0, cchName=0x104 | out: lpName="FontCache") returned 0x0 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fontcache", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fontcache", cchWideChar=9, lpMultiByteStr=0x9c1990, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fontcache", lpUsedDefaultChar=0x0) returned 9 [0028.370] RegEnumKeyW (in: hKey=0x154, dwIndex=0x73, lpName=0x9b73c0, cchName=0x104 | out: lpName="FontCache3.0.0.0") returned 0x0 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fontcache3.0.0.0", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fontcache3.0.0.0", cchWideChar=16, lpMultiByteStr=0x9c19d8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fontcache3.0.0.0", lpUsedDefaultChar=0x0) returned 16 [0028.370] RegEnumKeyW (in: hKey=0x154, dwIndex=0x74, lpName=0x9b73c0, cchName=0x104 | out: lpName="FsDepends") returned 0x0 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fsdepends", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fsdepends", cchWideChar=9, lpMultiByteStr=0x9c1990, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fsdepends", lpUsedDefaultChar=0x0) returned 9 [0028.370] RegEnumKeyW (in: hKey=0x154, dwIndex=0x75, lpName=0x9b73c0, cchName=0x104 | out: lpName="Fs_Rec") returned 0x0 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fs_rec", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fs_rec", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fs_rec", lpUsedDefaultChar=0x0) returned 6 [0028.370] RegEnumKeyW (in: hKey=0x154, dwIndex=0x76, lpName=0x9b73c0, cchName=0x104 | out: lpName="fvevol") returned 0x0 [0028.370] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fvevol", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fvevol", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fvevol", lpUsedDefaultChar=0x0) returned 6 [0028.371] RegEnumKeyW (in: hKey=0x154, dwIndex=0x77, lpName=0x9b73c0, cchName=0x104 | out: lpName="gagp30kx") returned 0x0 [0028.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gagp30kx", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gagp30kx", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gagp30kx", lpUsedDefaultChar=0x0) returned 8 [0028.371] RegEnumKeyW (in: hKey=0x154, dwIndex=0x78, lpName=0x9b73c0, cchName=0x104 | out: lpName="gpsvc") returned 0x0 [0028.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gpsvc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gpsvc", cchWideChar=5, lpMultiByteStr=0x9c1990, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gpsvc", lpUsedDefaultChar=0x0) returned 5 [0028.371] RegEnumKeyW (in: hKey=0x154, dwIndex=0x79, lpName=0x9b73c0, cchName=0x104 | out: lpName="gupdate") returned 0x0 [0028.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gupdate", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gupdate", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gupdate", lpUsedDefaultChar=0x0) returned 7 [0028.371] RegEnumKeyW (in: hKey=0x154, dwIndex=0x7a, lpName=0x9b73c0, cchName=0x104 | out: lpName="gupdatem") returned 0x0 [0028.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gupdatem", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gupdatem", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gupdatem", lpUsedDefaultChar=0x0) returned 8 [0028.371] RegEnumKeyW (in: hKey=0x154, dwIndex=0x7b, lpName=0x9b73c0, cchName=0x104 | out: lpName="hcw85cir") returned 0x0 [0028.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hcw85cir", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hcw85cir", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hcw85cir", lpUsedDefaultChar=0x0) returned 8 [0028.371] RegEnumKeyW (in: hKey=0x154, dwIndex=0x7c, lpName=0x9b73c0, cchName=0x104 | out: lpName="HdAudAddService") returned 0x0 [0028.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hdaudaddservice", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0028.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hdaudaddservice", cchWideChar=15, lpMultiByteStr=0x9c1990, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hdaudaddservice", lpUsedDefaultChar=0x0) returned 15 [0028.371] RegEnumKeyW (in: hKey=0x154, dwIndex=0x7d, lpName=0x9b73c0, cchName=0x104 | out: lpName="HDAudBus") returned 0x0 [0028.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hdaudbus", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hdaudbus", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hdaudbus", lpUsedDefaultChar=0x0) returned 8 [0028.371] RegEnumKeyW (in: hKey=0x154, dwIndex=0x7e, lpName=0x9b73c0, cchName=0x104 | out: lpName="HidBatt") returned 0x0 [0028.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hidbatt", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hidbatt", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hidbatt", lpUsedDefaultChar=0x0) returned 7 [0028.372] RegEnumKeyW (in: hKey=0x154, dwIndex=0x7f, lpName=0x9b73c0, cchName=0x104 | out: lpName="HidBth") returned 0x0 [0028.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hidbth", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hidbth", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hidbth", lpUsedDefaultChar=0x0) returned 6 [0028.372] RegEnumKeyW (in: hKey=0x154, dwIndex=0x80, lpName=0x9b73c0, cchName=0x104 | out: lpName="HidIr") returned 0x0 [0028.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hidir", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hidir", cchWideChar=5, lpMultiByteStr=0x9c1990, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hidir", lpUsedDefaultChar=0x0) returned 5 [0028.372] RegEnumKeyW (in: hKey=0x154, dwIndex=0x81, lpName=0x9b73c0, cchName=0x104 | out: lpName="hidserv") returned 0x0 [0028.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hidserv", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hidserv", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hidserv", lpUsedDefaultChar=0x0) returned 7 [0028.372] RegEnumKeyW (in: hKey=0x154, dwIndex=0x82, lpName=0x9b73c0, cchName=0x104 | out: lpName="HidUsb") returned 0x0 [0028.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hidusb", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hidusb", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hidusb", lpUsedDefaultChar=0x0) returned 6 [0028.372] RegEnumKeyW (in: hKey=0x154, dwIndex=0x83, lpName=0x9b73c0, cchName=0x104 | out: lpName="hkmsvc") returned 0x0 [0028.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hkmsvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hkmsvc", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hkmsvc", lpUsedDefaultChar=0x0) returned 6 [0028.372] RegEnumKeyW (in: hKey=0x154, dwIndex=0x84, lpName=0x9b73c0, cchName=0x104 | out: lpName="HomeGroupListener") returned 0x0 [0028.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegrouplistener", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0028.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegrouplistener", cchWideChar=17, lpMultiByteStr=0x9c1990, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="homegrouplistener", lpUsedDefaultChar=0x0) returned 17 [0028.372] RegEnumKeyW (in: hKey=0x154, dwIndex=0x85, lpName=0x9b73c0, cchName=0x104 | out: lpName="HomeGroupProvider") returned 0x0 [0028.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegroupprovider", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0028.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegroupprovider", cchWideChar=17, lpMultiByteStr=0x9c19d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="homegroupprovider", lpUsedDefaultChar=0x0) returned 17 [0028.372] RegEnumKeyW (in: hKey=0x154, dwIndex=0x86, lpName=0x9b73c0, cchName=0x104 | out: lpName="HpSAMD") returned 0x0 [0028.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hpsamd", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hpsamd", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hpsamd", lpUsedDefaultChar=0x0) returned 6 [0028.372] RegEnumKeyW (in: hKey=0x154, dwIndex=0x87, lpName=0x9b73c0, cchName=0x104 | out: lpName="HTTP") returned 0x0 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="http", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="http", cchWideChar=4, lpMultiByteStr=0x9c19d8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="http", lpUsedDefaultChar=0x0) returned 4 [0028.373] RegEnumKeyW (in: hKey=0x154, dwIndex=0x88, lpName=0x9b73c0, cchName=0x104 | out: lpName="hwpolicy") returned 0x0 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hwpolicy", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hwpolicy", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hwpolicy", lpUsedDefaultChar=0x0) returned 8 [0028.373] RegEnumKeyW (in: hKey=0x154, dwIndex=0x89, lpName=0x9b73c0, cchName=0x104 | out: lpName="i8042prt") returned 0x0 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="i8042prt", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="i8042prt", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="i8042prt", lpUsedDefaultChar=0x0) returned 8 [0028.373] RegEnumKeyW (in: hKey=0x154, dwIndex=0x8a, lpName=0x9b73c0, cchName=0x104 | out: lpName="iaStorV") returned 0x0 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iastorv", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iastorv", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iastorv", lpUsedDefaultChar=0x0) returned 7 [0028.373] RegEnumKeyW (in: hKey=0x154, dwIndex=0x8b, lpName=0x9b73c0, cchName=0x104 | out: lpName="idsvc") returned 0x0 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="idsvc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="idsvc", cchWideChar=5, lpMultiByteStr=0x9c19d8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="idsvc", lpUsedDefaultChar=0x0) returned 5 [0028.373] RegEnumKeyW (in: hKey=0x154, dwIndex=0x8c, lpName=0x9b73c0, cchName=0x104 | out: lpName="iirsp") returned 0x0 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iirsp", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iirsp", cchWideChar=5, lpMultiByteStr=0x9c1990, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iirsp", lpUsedDefaultChar=0x0) returned 5 [0028.373] RegEnumKeyW (in: hKey=0x154, dwIndex=0x8d, lpName=0x9b73c0, cchName=0x104 | out: lpName="IKEEXT") returned 0x0 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ikeext", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ikeext", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ikeext", lpUsedDefaultChar=0x0) returned 6 [0028.373] RegEnumKeyW (in: hKey=0x154, dwIndex=0x8e, lpName=0x9b73c0, cchName=0x104 | out: lpName="inetaccs") returned 0x0 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="inetaccs", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="inetaccs", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="inetaccs", lpUsedDefaultChar=0x0) returned 8 [0028.373] RegEnumKeyW (in: hKey=0x154, dwIndex=0x8f, lpName=0x9b73c0, cchName=0x104 | out: lpName="intelide") returned 0x0 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="intelide", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="intelide", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="intelide", lpUsedDefaultChar=0x0) returned 8 [0028.374] RegEnumKeyW (in: hKey=0x154, dwIndex=0x90, lpName=0x9b73c0, cchName=0x104 | out: lpName="intelppm") returned 0x0 [0028.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="intelppm", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="intelppm", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="intelppm", lpUsedDefaultChar=0x0) returned 8 [0028.374] RegEnumKeyW (in: hKey=0x154, dwIndex=0x91, lpName=0x9b73c0, cchName=0x104 | out: lpName="IPBusEnum") returned 0x0 [0028.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ipbusenum", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0028.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ipbusenum", cchWideChar=9, lpMultiByteStr=0x9c19d8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipbusenum", lpUsedDefaultChar=0x0) returned 9 [0028.374] RegEnumKeyW (in: hKey=0x154, dwIndex=0x92, lpName=0x9b73c0, cchName=0x104 | out: lpName="IpFilterDriver") returned 0x0 [0028.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ipfilterdriver", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0028.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ipfilterdriver", cchWideChar=14, lpMultiByteStr=0x9c1990, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipfilterdriver", lpUsedDefaultChar=0x0) returned 14 [0028.374] RegEnumKeyW (in: hKey=0x154, dwIndex=0x93, lpName=0x9b73c0, cchName=0x104 | out: lpName="iphlpsvc") returned 0x0 [0028.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iphlpsvc", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iphlpsvc", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iphlpsvc", lpUsedDefaultChar=0x0) returned 8 [0028.374] RegEnumKeyW (in: hKey=0x154, dwIndex=0x94, lpName=0x9b73c0, cchName=0x104 | out: lpName="IPMIDRV") returned 0x0 [0028.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ipmidrv", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ipmidrv", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipmidrv", lpUsedDefaultChar=0x0) returned 7 [0028.374] RegEnumKeyW (in: hKey=0x154, dwIndex=0x95, lpName=0x9b73c0, cchName=0x104 | out: lpName="IPNAT") returned 0x0 [0028.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ipnat", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ipnat", cchWideChar=5, lpMultiByteStr=0x9c19d8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipnat", lpUsedDefaultChar=0x0) returned 5 [0028.374] RegEnumKeyW (in: hKey=0x154, dwIndex=0x96, lpName=0x9b73c0, cchName=0x104 | out: lpName="IRENUM") returned 0x0 [0028.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="irenum", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="irenum", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="irenum", lpUsedDefaultChar=0x0) returned 6 [0028.374] RegEnumKeyW (in: hKey=0x154, dwIndex=0x97, lpName=0x9b73c0, cchName=0x104 | out: lpName="isapnp") returned 0x0 [0028.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="isapnp", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="isapnp", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isapnp", lpUsedDefaultChar=0x0) returned 6 [0028.374] RegEnumKeyW (in: hKey=0x154, dwIndex=0x98, lpName=0x9b73c0, cchName=0x104 | out: lpName="iScsiPrt") returned 0x0 [0028.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iscsiprt", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iscsiprt", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iscsiprt", lpUsedDefaultChar=0x0) returned 8 [0028.375] RegEnumKeyW (in: hKey=0x154, dwIndex=0x99, lpName=0x9b73c0, cchName=0x104 | out: lpName="kbdclass") returned 0x0 [0028.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kbdclass", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kbdclass", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kbdclass", lpUsedDefaultChar=0x0) returned 8 [0028.375] RegEnumKeyW (in: hKey=0x154, dwIndex=0x9a, lpName=0x9b73c0, cchName=0x104 | out: lpName="kbdhid") returned 0x0 [0028.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kbdhid", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kbdhid", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kbdhid", lpUsedDefaultChar=0x0) returned 6 [0028.375] RegEnumKeyW (in: hKey=0x154, dwIndex=0x9b, lpName=0x9b73c0, cchName=0x104 | out: lpName="KeyIso") returned 0x0 [0028.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="keyiso", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="keyiso", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="keyiso", lpUsedDefaultChar=0x0) returned 6 [0028.375] RegEnumKeyW (in: hKey=0x154, dwIndex=0x9c, lpName=0x9b73c0, cchName=0x104 | out: lpName="KSecDD") returned 0x0 [0028.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ksecdd", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ksecdd", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ksecdd", lpUsedDefaultChar=0x0) returned 6 [0028.375] RegEnumKeyW (in: hKey=0x154, dwIndex=0x9d, lpName=0x9b73c0, cchName=0x104 | out: lpName="KSecPkg") returned 0x0 [0028.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ksecpkg", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ksecpkg", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ksecpkg", lpUsedDefaultChar=0x0) returned 7 [0028.375] RegEnumKeyW (in: hKey=0x154, dwIndex=0x9e, lpName=0x9b73c0, cchName=0x104 | out: lpName="ksthunk") returned 0x0 [0028.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ksthunk", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ksthunk", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ksthunk", lpUsedDefaultChar=0x0) returned 7 [0028.375] RegEnumKeyW (in: hKey=0x154, dwIndex=0x9f, lpName=0x9b73c0, cchName=0x104 | out: lpName="KtmRm") returned 0x0 [0028.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ktmrm", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ktmrm", cchWideChar=5, lpMultiByteStr=0x9c19d8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ktmrm", lpUsedDefaultChar=0x0) returned 5 [0028.375] RegEnumKeyW (in: hKey=0x154, dwIndex=0xa0, lpName=0x9b73c0, cchName=0x104 | out: lpName="LanmanServer") returned 0x0 [0028.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lanmanserver", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0028.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lanmanserver", cchWideChar=12, lpMultiByteStr=0x9c1990, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lanmanserver", lpUsedDefaultChar=0x0) returned 12 [0028.375] RegEnumKeyW (in: hKey=0x154, dwIndex=0xa1, lpName=0x9b73c0, cchName=0x104 | out: lpName="LanmanWorkstation") returned 0x0 [0028.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lanmanworkstation", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0028.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lanmanworkstation", cchWideChar=17, lpMultiByteStr=0x9c19d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lanmanworkstation", lpUsedDefaultChar=0x0) returned 17 [0028.376] RegEnumKeyW (in: hKey=0x154, dwIndex=0xa2, lpName=0x9b73c0, cchName=0x104 | out: lpName="ldap") returned 0x0 [0028.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ldap", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0028.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ldap", cchWideChar=4, lpMultiByteStr=0x9c1990, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ldap", lpUsedDefaultChar=0x0) returned 4 [0028.376] RegEnumKeyW (in: hKey=0x154, dwIndex=0xa3, lpName=0x9b73c0, cchName=0x104 | out: lpName="lltdio") returned 0x0 [0028.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lltdio", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lltdio", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lltdio", lpUsedDefaultChar=0x0) returned 6 [0028.376] RegEnumKeyW (in: hKey=0x154, dwIndex=0xa4, lpName=0x9b73c0, cchName=0x104 | out: lpName="lltdsvc") returned 0x0 [0028.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lltdsvc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lltdsvc", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lltdsvc", lpUsedDefaultChar=0x0) returned 7 [0028.376] RegEnumKeyW (in: hKey=0x154, dwIndex=0xa5, lpName=0x9b73c0, cchName=0x104 | out: lpName="lmhosts") returned 0x0 [0028.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lmhosts", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lmhosts", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lmhosts", lpUsedDefaultChar=0x0) returned 7 [0028.376] RegEnumKeyW (in: hKey=0x154, dwIndex=0xa6, lpName=0x9b73c0, cchName=0x104 | out: lpName="Lsa") returned 0x0 [0028.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsa", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsa", cchWideChar=3, lpMultiByteStr=0x9c1990, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsa", lpUsedDefaultChar=0x0) returned 3 [0028.376] RegEnumKeyW (in: hKey=0x154, dwIndex=0xa7, lpName=0x9b73c0, cchName=0x104 | out: lpName="LSI_FC") returned 0x0 [0028.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsi_fc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsi_fc", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsi_fc", lpUsedDefaultChar=0x0) returned 6 [0028.376] RegEnumKeyW (in: hKey=0x154, dwIndex=0xa8, lpName=0x9b73c0, cchName=0x104 | out: lpName="LSI_SAS") returned 0x0 [0028.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsi_sas", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsi_sas", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsi_sas", lpUsedDefaultChar=0x0) returned 7 [0028.376] RegEnumKeyW (in: hKey=0x154, dwIndex=0xa9, lpName=0x9b73c0, cchName=0x104 | out: lpName="LSI_SAS2") returned 0x0 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsi_sas2", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsi_sas2", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsi_sas2", lpUsedDefaultChar=0x0) returned 8 [0028.377] RegEnumKeyW (in: hKey=0x154, dwIndex=0xaa, lpName=0x9b73c0, cchName=0x104 | out: lpName="LSI_SCSI") returned 0x0 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsi_scsi", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsi_scsi", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsi_scsi", lpUsedDefaultChar=0x0) returned 8 [0028.377] RegEnumKeyW (in: hKey=0x154, dwIndex=0xab, lpName=0x9b73c0, cchName=0x104 | out: lpName="luafv") returned 0x0 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="luafv", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="luafv", cchWideChar=5, lpMultiByteStr=0x9c19d8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="luafv", lpUsedDefaultChar=0x0) returned 5 [0028.377] RegEnumKeyW (in: hKey=0x154, dwIndex=0xac, lpName=0x9b73c0, cchName=0x104 | out: lpName="Mcx2Svc") returned 0x0 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mcx2svc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mcx2svc", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mcx2svc", lpUsedDefaultChar=0x0) returned 7 [0028.377] RegEnumKeyW (in: hKey=0x154, dwIndex=0xad, lpName=0x9b73c0, cchName=0x104 | out: lpName="megasas") returned 0x0 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="megasas", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="megasas", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="megasas", lpUsedDefaultChar=0x0) returned 7 [0028.377] RegEnumKeyW (in: hKey=0x154, dwIndex=0xae, lpName=0x9b73c0, cchName=0x104 | out: lpName="MegaSR") returned 0x0 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="megasr", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="megasr", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="megasr", lpUsedDefaultChar=0x0) returned 6 [0028.377] RegEnumKeyW (in: hKey=0x154, dwIndex=0xaf, lpName=0x9b73c0, cchName=0x104 | out: lpName="Microsoft SharePoint Workspace Audit Service") returned 0x0 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft sharepoint workspace audit service", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft sharepoint workspace audit service", cchWideChar=44, lpMultiByteStr=0x9c19d8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft sharepoint workspace audit service", lpUsedDefaultChar=0x0) returned 44 [0028.377] RegEnumKeyW (in: hKey=0x154, dwIndex=0xb0, lpName=0x9b73c0, cchName=0x104 | out: lpName="MMCSS") returned 0x0 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmcss", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmcss", cchWideChar=5, lpMultiByteStr=0x9c1990, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mmcss", lpUsedDefaultChar=0x0) returned 5 [0028.377] RegEnumKeyW (in: hKey=0x154, dwIndex=0xb1, lpName=0x9b73c0, cchName=0x104 | out: lpName="Modem") returned 0x0 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="modem", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.377] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="modem", cchWideChar=5, lpMultiByteStr=0x9c19d8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="modem", lpUsedDefaultChar=0x0) returned 5 [0028.377] RegEnumKeyW (in: hKey=0x154, dwIndex=0xb2, lpName=0x9b73c0, cchName=0x104 | out: lpName="monitor") returned 0x0 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="monitor", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="monitor", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="monitor", lpUsedDefaultChar=0x0) returned 7 [0028.378] RegEnumKeyW (in: hKey=0x154, dwIndex=0xb3, lpName=0x9b73c0, cchName=0x104 | out: lpName="mouclass") returned 0x0 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mouclass", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mouclass", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mouclass", lpUsedDefaultChar=0x0) returned 8 [0028.378] RegEnumKeyW (in: hKey=0x154, dwIndex=0xb4, lpName=0x9b73c0, cchName=0x104 | out: lpName="mouhid") returned 0x0 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mouhid", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mouhid", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mouhid", lpUsedDefaultChar=0x0) returned 6 [0028.378] RegEnumKeyW (in: hKey=0x154, dwIndex=0xb5, lpName=0x9b73c0, cchName=0x104 | out: lpName="mountmgr") returned 0x0 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mountmgr", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mountmgr", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mountmgr", lpUsedDefaultChar=0x0) returned 8 [0028.378] RegEnumKeyW (in: hKey=0x154, dwIndex=0xb6, lpName=0x9b73c0, cchName=0x104 | out: lpName="MozillaMaintenance") returned 0x0 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mozillamaintenance", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mozillamaintenance", cchWideChar=18, lpMultiByteStr=0x9c1990, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mozillamaintenance", lpUsedDefaultChar=0x0) returned 18 [0028.378] RegEnumKeyW (in: hKey=0x154, dwIndex=0xb7, lpName=0x9b73c0, cchName=0x104 | out: lpName="mpio") returned 0x0 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mpio", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mpio", cchWideChar=4, lpMultiByteStr=0x9c19d8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mpio", lpUsedDefaultChar=0x0) returned 4 [0028.378] RegEnumKeyW (in: hKey=0x154, dwIndex=0xb8, lpName=0x9b73c0, cchName=0x104 | out: lpName="mpsdrv") returned 0x0 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mpsdrv", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mpsdrv", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mpsdrv", lpUsedDefaultChar=0x0) returned 6 [0028.378] RegEnumKeyW (in: hKey=0x154, dwIndex=0xb9, lpName=0x9b73c0, cchName=0x104 | out: lpName="MpsSvc") returned 0x0 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mpssvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mpssvc", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mpssvc", lpUsedDefaultChar=0x0) returned 6 [0028.378] RegEnumKeyW (in: hKey=0x154, dwIndex=0xba, lpName=0x9b73c0, cchName=0x104 | out: lpName="MRxDAV") returned 0x0 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mrxdav", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mrxdav", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mrxdav", lpUsedDefaultChar=0x0) returned 6 [0028.379] RegEnumKeyW (in: hKey=0x154, dwIndex=0xbb, lpName=0x9b73c0, cchName=0x104 | out: lpName="mrxsmb") returned 0x0 [0028.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mrxsmb", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mrxsmb", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mrxsmb", lpUsedDefaultChar=0x0) returned 6 [0028.379] RegEnumKeyW (in: hKey=0x154, dwIndex=0xbc, lpName=0x9b73c0, cchName=0x104 | out: lpName="mrxsmb10") returned 0x0 [0028.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mrxsmb10", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mrxsmb10", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mrxsmb10", lpUsedDefaultChar=0x0) returned 8 [0028.379] RegEnumKeyW (in: hKey=0x154, dwIndex=0xbd, lpName=0x9b73c0, cchName=0x104 | out: lpName="mrxsmb20") returned 0x0 [0028.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mrxsmb20", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mrxsmb20", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mrxsmb20", lpUsedDefaultChar=0x0) returned 8 [0028.379] RegEnumKeyW (in: hKey=0x154, dwIndex=0xbe, lpName=0x9b73c0, cchName=0x104 | out: lpName="msahci") returned 0x0 [0028.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msahci", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msahci", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msahci", lpUsedDefaultChar=0x0) returned 6 [0028.379] RegEnumKeyW (in: hKey=0x154, dwIndex=0xbf, lpName=0x9b73c0, cchName=0x104 | out: lpName="msdsm") returned 0x0 [0028.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdsm", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdsm", cchWideChar=5, lpMultiByteStr=0x9c19d8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdsm", lpUsedDefaultChar=0x0) returned 5 [0028.379] RegEnumKeyW (in: hKey=0x154, dwIndex=0xc0, lpName=0x9b73c0, cchName=0x104 | out: lpName="MSDTC") returned 0x0 [0028.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc", cchWideChar=5, lpMultiByteStr=0x9c1990, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdtc", lpUsedDefaultChar=0x0) returned 5 [0028.379] RegEnumKeyW (in: hKey=0x154, dwIndex=0xc1, lpName=0x9b73c0, cchName=0x104 | out: lpName="MSDTC Bridge 3.0.0.0") returned 0x0 [0028.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc bridge 3.0.0.0", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0028.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc bridge 3.0.0.0", cchWideChar=20, lpMultiByteStr=0x9c19d8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdtc bridge 3.0.0.0", lpUsedDefaultChar=0x0) returned 20 [0028.379] RegEnumKeyW (in: hKey=0x154, dwIndex=0xc2, lpName=0x9b73c0, cchName=0x104 | out: lpName="MSDTC Bridge 4.0.0.0") returned 0x0 [0028.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc bridge 4.0.0.0", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0028.379] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc bridge 4.0.0.0", cchWideChar=20, lpMultiByteStr=0x9c1990, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdtc bridge 4.0.0.0", lpUsedDefaultChar=0x0) returned 20 [0028.379] RegEnumKeyW (in: hKey=0x154, dwIndex=0xc3, lpName=0x9b73c0, cchName=0x104 | out: lpName="Msfs") returned 0x0 [0028.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msfs", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0028.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msfs", cchWideChar=4, lpMultiByteStr=0x9c19d8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msfs", lpUsedDefaultChar=0x0) returned 4 [0028.380] RegEnumKeyW (in: hKey=0x154, dwIndex=0xc4, lpName=0x9b73c0, cchName=0x104 | out: lpName="mshidkmdf") returned 0x0 [0028.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mshidkmdf", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0028.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mshidkmdf", cchWideChar=9, lpMultiByteStr=0x9c1990, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mshidkmdf", lpUsedDefaultChar=0x0) returned 9 [0028.380] RegEnumKeyW (in: hKey=0x154, dwIndex=0xc5, lpName=0x9b73c0, cchName=0x104 | out: lpName="msisadrv") returned 0x0 [0028.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msisadrv", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msisadrv", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msisadrv", lpUsedDefaultChar=0x0) returned 8 [0028.380] RegEnumKeyW (in: hKey=0x154, dwIndex=0xc6, lpName=0x9b73c0, cchName=0x104 | out: lpName="MSiSCSI") returned 0x0 [0028.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msiscsi", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msiscsi", cchWideChar=7, lpMultiByteStr=0x9c1990, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msiscsi", lpUsedDefaultChar=0x0) returned 7 [0028.380] RegEnumKeyW (in: hKey=0x154, dwIndex=0xc7, lpName=0x9b73c0, cchName=0x104 | out: lpName="msiserver") returned 0x0 [0028.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msiserver", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0028.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msiserver", cchWideChar=9, lpMultiByteStr=0x9c19d8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msiserver", lpUsedDefaultChar=0x0) returned 9 [0028.380] RegOpenKeyExW (in: hKey=0x154, lpSubKey="msiserver", ulOptions=0x0, samDesired=0x20109, phkResult=0x2af3d0 | out: phkResult=0x2af3d0*=0xbc) returned 0x0 [0028.380] RegCloseKey (hKey=0x154) returned 0x0 [0028.380] SHRegDuplicateHKey (hkey=0x80000002) returned 0x80000002 [0028.380] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x0, lpName=0x9b73c0, cchName=0x104 | out: lpName="BCD00000000") returned 0x0 [0028.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bcd00000000", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0028.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bcd00000000", cchWideChar=11, lpMultiByteStr=0x9c1990, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bcd00000000", lpUsedDefaultChar=0x0) returned 11 [0028.380] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x1, lpName=0x9b73c0, cchName=0x104 | out: lpName="HARDWARE") returned 0x0 [0028.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hardware", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hardware", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hardware", lpUsedDefaultChar=0x0) returned 8 [0028.380] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x2, lpName=0x9b73c0, cchName=0x104 | out: lpName="SAM") returned 0x0 [0028.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sam", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sam", cchWideChar=3, lpMultiByteStr=0x9c1990, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sam", lpUsedDefaultChar=0x0) returned 3 [0028.381] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x3, lpName=0x9b73c0, cchName=0x104 | out: lpName="SECURITY") returned 0x0 [0028.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="security", lpUsedDefaultChar=0x0) returned 8 [0028.381] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x4, lpName=0x9b73c0, cchName=0x104 | out: lpName="SOFTWARE") returned 0x0 [0028.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="software", lpUsedDefaultChar=0x0) returned 8 [0028.381] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x5, lpName=0x9b73c0, cchName=0x104 | out: lpName="SYSTEM") returned 0x0 [0028.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="system", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="system", cchWideChar=6, lpMultiByteStr=0x9c19d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="system", lpUsedDefaultChar=0x0) returned 6 [0028.381] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM", ulOptions=0x0, samDesired=0x20109, phkResult=0x2af3d0 | out: phkResult=0x2af3d0*=0x15c) returned 0x0 [0028.381] RegCloseKey (hKey=0x80000002) returned 0x0 [0028.381] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x0, lpName=0x9b73c0, cchName=0x104 | out: lpName="ControlSet001") returned 0x0 [0028.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="controlset001", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0028.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="controlset001", cchWideChar=13, lpMultiByteStr=0x9c1990, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="controlset001", lpUsedDefaultChar=0x0) returned 13 [0028.381] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x1, lpName=0x9b73c0, cchName=0x104 | out: lpName="ControlSet002") returned 0x0 [0028.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="controlset002", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0028.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="controlset002", cchWideChar=13, lpMultiByteStr=0x9c19d8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="controlset002", lpUsedDefaultChar=0x0) returned 13 [0028.381] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x2, lpName=0x9b73c0, cchName=0x104 | out: lpName="MountedDevices") returned 0x0 [0028.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mounteddevices", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0028.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mounteddevices", cchWideChar=14, lpMultiByteStr=0x9c1990, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mounteddevices", lpUsedDefaultChar=0x0) returned 14 [0028.381] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x3, lpName=0x9b73c0, cchName=0x104 | out: lpName="RNG") returned 0x0 [0028.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rng", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rng", cchWideChar=3, lpMultiByteStr=0x9c19d8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rng", lpUsedDefaultChar=0x0) returned 3 [0028.382] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x4, lpName=0x9b73c0, cchName=0x104 | out: lpName="Select") returned 0x0 [0028.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="select", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0028.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="select", cchWideChar=6, lpMultiByteStr=0x9c1990, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="select", lpUsedDefaultChar=0x0) returned 6 [0028.382] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x5, lpName=0x9b73c0, cchName=0x104 | out: lpName="Setup") returned 0x0 [0028.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="setup", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0028.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="setup", cchWideChar=5, lpMultiByteStr=0x9c19d8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="setup", lpUsedDefaultChar=0x0) returned 5 [0028.382] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x6, lpName=0x9b73c0, cchName=0x104 | out: lpName="Software") returned 0x0 [0028.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="software", lpUsedDefaultChar=0x0) returned 8 [0028.382] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x7, lpName=0x9b73c0, cchName=0x104 | out: lpName="WPA") returned 0x0 [0028.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wpa", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0028.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wpa", cchWideChar=3, lpMultiByteStr=0x9c19d8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wpa", lpUsedDefaultChar=0x0) returned 3 [0028.382] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x8, lpName=0x9b73c0, cchName=0x104 | out: lpName="CurrentControlSet") returned 0x0 [0028.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="currentcontrolset", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0028.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="currentcontrolset", cchWideChar=17, lpMultiByteStr=0x9c1990, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="currentcontrolset", lpUsedDefaultChar=0x0) returned 17 [0028.382] RegOpenKeyExW (in: hKey=0x15c, lpSubKey="CurrentControlSet", ulOptions=0x0, samDesired=0x20109, phkResult=0x2af3d0 | out: phkResult=0x2af3d0*=0x154) returned 0x0 [0028.382] RegCloseKey (hKey=0x15c) returned 0x0 [0028.382] RegEnumKeyW (in: hKey=0x154, dwIndex=0x0, lpName=0x9b73c0, cchName=0x104 | out: lpName="Control") returned 0x0 [0028.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="control", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0028.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="control", cchWideChar=7, lpMultiByteStr=0x9c19d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="control", lpUsedDefaultChar=0x0) returned 7 [0028.382] RegEnumKeyW (in: hKey=0x154, dwIndex=0x1, lpName=0x9b73c0, cchName=0x104 | out: lpName="Enum") returned 0x0 [0028.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="enum", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0028.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="enum", cchWideChar=4, lpMultiByteStr=0x9c1990, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="enum", lpUsedDefaultChar=0x0) returned 4 [0028.382] RegEnumKeyW (in: hKey=0x154, dwIndex=0x2, lpName=0x9b73c0, cchName=0x104 | out: lpName="Hardware Profiles") returned 0x0 [0028.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hardware profiles", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0028.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hardware profiles", cchWideChar=17, lpMultiByteStr=0x9c19d8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hardware profiles", lpUsedDefaultChar=0x0) returned 17 [0028.383] RegEnumKeyW (in: hKey=0x154, dwIndex=0x3, lpName=0x9b73c0, cchName=0x104 | out: lpName="Policies") returned 0x0 [0028.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="policies", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="policies", cchWideChar=8, lpMultiByteStr=0x9c1990, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="policies", lpUsedDefaultChar=0x0) returned 8 [0028.383] RegEnumKeyW (in: hKey=0x154, dwIndex=0x4, lpName=0x9b73c0, cchName=0x104 | out: lpName="services") returned 0x0 [0028.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="services", lpUsedDefaultChar=0x0) returned 8 [0028.383] RegOpenKeyExW (in: hKey=0x154, lpSubKey="services", ulOptions=0x0, samDesired=0x20109, phkResult=0x2af3d0 | out: phkResult=0x2af3d0*=0x15c) returned 0x0 [0028.383] RegCloseKey (hKey=0x154) returned 0x0 [0028.383] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x0, lpName=0x9b73c0, cchName=0x104 | out: lpName=".NET CLR Data") returned 0x0 [0028.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net clr data", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0028.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net clr data", cchWideChar=13, lpMultiByteStr=0x9c1990, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".net clr data", lpUsedDefaultChar=0x0) returned 13 [0028.383] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x1, lpName=0x9b73c0, cchName=0x104 | out: lpName=".NET CLR Networking") returned 0x0 [0028.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net clr networking", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0028.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net clr networking", cchWideChar=19, lpMultiByteStr=0x9c19d8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".net clr networking", lpUsedDefaultChar=0x0) returned 19 [0028.383] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x2, lpName=0x9b73c0, cchName=0x104 | out: lpName=".NET CLR Networking 4.0.0.0") returned 0x0 [0028.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net clr networking 4.0.0.0", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0028.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net clr networking 4.0.0.0", cchWideChar=27, lpMultiByteStr=0x9c1990, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".net clr networking 4.0.0.0", lpUsedDefaultChar=0x0) returned 27 [0028.383] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x3, lpName=0x9b73c0, cchName=0x104 | out: lpName=".NET Data Provider for Oracle") returned 0x0 [0028.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net data provider for oracle", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0028.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net data provider for oracle", cchWideChar=29, lpMultiByteStr=0x9c19d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".net data provider for oracle", lpUsedDefaultChar=0x0) returned 29 [0028.383] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x4, lpName=0x9b73c0, cchName=0x104 | out: lpName=".NET Data Provider for SqlServer") returned 0x0 [0028.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net data provider for sqlserver", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0028.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net data provider for sqlserver", cchWideChar=32, lpMultiByteStr=0x9c1990, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".net data provider for sqlserver", lpUsedDefaultChar=0x0) returned 32 [0028.383] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x5, lpName=0x9b73c0, cchName=0x104 | out: lpName=".NET Memory Cache 4.0") returned 0x0 [0028.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net memory cache 4.0", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0028.384] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".net memory cache 4.0", cchWideChar=21, lpMultiByteStr=0x9c19d8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".net memory cache 4.0", lpUsedDefaultChar=0x0) returned 21 [0028.384] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x6, lpName=0x9b73c0, cchName=0x104 | out: lpName=".NETFramework") returned 0x0 [0028.384] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".netframework", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0028.384] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".netframework", cchWideChar=13, lpMultiByteStr=0x9c1990, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".netframework", lpUsedDefaultChar=0x0) returned 13 [0028.384] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x7, lpName=0x9b73c0, cchName=0x104 | out: lpName="1394ohci") returned 0x0 [0028.384] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1394ohci", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0028.384] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1394ohci", cchWideChar=8, lpMultiByteStr=0x9c19d8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1394ohci", lpUsedDefaultChar=0x0) returned 8 [0028.384] RegEnumKeyW (in: hKey=0x15c, dwIndex=0x8, lpName=0x9b73c0, cchName=0x104 | out: lpName="ACPI") returned 0x0 [0028.384] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="acpi", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0028.384] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="acpi", cchWideChar=4, lpMultiByteStr=0x9c1990, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="acpi", lpUsedDefaultChar=0x0) returned 4 [0028.385] RegEnumValueA (in: hKey=0xbc, dwIndex=0x0, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="DisplayName", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.385] RegEnumValueA (in: hKey=0xbc, dwIndex=0x1, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ImagePath", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.385] RegEnumValueA (in: hKey=0xbc, dwIndex=0x2, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Description", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.385] RegEnumValueA (in: hKey=0xbc, dwIndex=0x3, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ObjectName", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.385] RegEnumValueA (in: hKey=0xbc, dwIndex=0x4, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ErrorControl", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.385] RegEnumValueA (in: hKey=0xbc, dwIndex=0x5, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Start", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.385] RegEnumValueA (in: hKey=0xbc, dwIndex=0x6, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Type", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.385] RegEnumValueA (in: hKey=0xbc, dwIndex=0x7, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="DependOnService", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.385] RegEnumValueA (in: hKey=0xbc, dwIndex=0x8, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ServiceSidType", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.385] RegEnumValueA (in: hKey=0xbc, dwIndex=0x9, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="RequiredPrivileges", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.385] RegEnumValueA (in: hKey=0xbc, dwIndex=0xa, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="FailureActions", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.385] RegEnumValueA (in: hKey=0xbc, dwIndex=0xb, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="FailureActions", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x103 [0028.385] RegSetValueExA (in: hKey=0x154, lpValueName="RequiredPrivileges", Reserved=0x0, dwType=0x7, lpData=0x9b3558*, cbData=0x196 | out: lpData=0x9b3558*) returned 0x0 [0028.386] RegEnumValueA (in: hKey=0xbc, dwIndex=0x0, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="DisplayName", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.386] RegEnumValueA (in: hKey=0xbc, dwIndex=0x1, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ImagePath", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.386] RegEnumValueA (in: hKey=0xbc, dwIndex=0x2, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Description", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.386] RegEnumValueA (in: hKey=0xbc, dwIndex=0x3, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ObjectName", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.386] RegEnumValueA (in: hKey=0xbc, dwIndex=0x4, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ErrorControl", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.386] RegEnumValueA (in: hKey=0xbc, dwIndex=0x5, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Start", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.386] RegEnumValueA (in: hKey=0xbc, dwIndex=0x6, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="Type", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.386] RegEnumValueA (in: hKey=0xbc, dwIndex=0x7, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="DependOnService", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.386] RegEnumValueA (in: hKey=0xbc, dwIndex=0x8, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ServiceSidType", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.386] RegEnumValueA (in: hKey=0xbc, dwIndex=0x9, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="RequiredPrivileges", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.386] RegEnumValueA (in: hKey=0xbc, dwIndex=0xa, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="FailureActions", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0028.386] RegEnumValueA (in: hKey=0xbc, dwIndex=0xb, lpValueName=0x2af2ec, lpcchValueName=0x2af2e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="FailureActions", lpcchValueName=0x2af2e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x103 [0028.386] RegSetValueExA (in: hKey=0x154, lpValueName="ObjectName", Reserved=0x0, dwType=0x1, lpData="LocalSystem", cbData=0xc | out: lpData="LocalSystem") returned 0x0 [0028.386] OpenServiceW (hSCManager=0x421ba8, lpServiceName="ose64", dwDesiredAccess=0x2) returned 0x421c98 [0028.388] ChangeServiceConfigW (in: hService=0x421c98, dwServiceType=0xffffffff, dwStartType=0x2, dwErrorControl=0xffffffff, lpBinaryPathName=0x0, lpLoadOrderGroup=0x0, lpdwTagId=0x0, lpDependencies=0x0, lpServiceStartName=0x0, lpPassword=0x0, lpDisplayName=0x0 | out: lpdwTagId=0x0) returned 1 [0028.426] CloseServiceHandle (hSCObject=0x421c98) returned 1 [0028.428] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xbc [0028.428] SetFileTime (hFile=0xbc, lpCreationTime=0x0, lpLastAccessTime=0x2af498, lpLastWriteTime=0x2af498) returned 1 [0028.428] GetFileSize (in: hFile=0xbc, lpFileSizeHigh=0x2af484 | out: lpFileSizeHigh=0x2af484*=0x0) returned 0x2a968 [0028.428] SetFilePointer (in: hFile=0xbc, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af490*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x2af490*=0) returned 0x0 [0028.428] ReadFile (in: hFile=0xbc, lpBuffer=0x9fd3b0, nNumberOfBytesToRead=0x2a968, lpNumberOfBytesRead=0x2af4c4, lpOverlapped=0x0 | out: lpBuffer=0x9fd3b0*, lpNumberOfBytesRead=0x2af4c4*=0x2a968, lpOverlapped=0x0) returned 1 [0028.443] SetFilePointer (in: hFile=0xbc, lDistanceToMove=0, lpDistanceToMoveHigh=0x2af4b4*=0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x2af4b4*=0) returned 0x0 [0028.443] WriteFile (in: hFile=0xbc, lpBuffer=0x9dd1a8*, nNumberOfBytesToWrite=0x20200, lpNumberOfBytesWritten=0x2af4c4, lpOverlapped=0x0 | out: lpBuffer=0x9dd1a8*, lpNumberOfBytesWritten=0x2af4c4*=0x20200, lpOverlapped=0x0) returned 1 [0028.443] SetEndOfFile (hFile=0xbc) returned 1 [0028.445] GetFileTime (in: hFile=0xbc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x2af610 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x2af610*(dwLowDateTime=0xcfcedc00, dwHighDateTime=0x1ca911d)) returned 1 [0028.445] FileTimeToSystemTime (in: lpFileTime=0x2af610, lpSystemTime=0x2af5e0 | out: lpSystemTime=0x2af5e0) returned 1 [0028.446] SystemTimeToFileTime (in: lpSystemTime=0x2af5e0, lpFileTime=0x2af610 | out: lpFileTime=0x2af610) returned 1 [0028.446] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE:0" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe:0"), fInfoLevelId=0x0, lpFileInformation=0x2af454 | out: lpFileInformation=0x2af454*(dwFileAttributes=0x9b0558, ftCreationTime.dwLowDateTime=0x1, ftCreationTime.dwHighDateTime=0x9b1e60, ftLastAccessTime.dwLowDateTime=0x2af478, ftLastAccessTime.dwHighDateTime=0xdf8e92, ftLastWriteTime.dwLowDateTime=0x8bffa05a, ftLastWriteTime.dwHighDateTime=0x2af618, nFileSizeHigh=0x2, nFileSizeLow=0x2af5b4)) returned 0 [0028.446] GetLastError () returned 0x2 [0028.446] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE:0" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe:0"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xbc [0028.446] SetFileTime (hFile=0xbc, lpCreationTime=0x0, lpLastAccessTime=0x2af498, lpLastWriteTime=0x2af498) returned 1 [0028.446] WriteFile (in: hFile=0xbc, lpBuffer=0xa483b8*, nNumberOfBytesToWrite=0x2a968, lpNumberOfBytesWritten=0x2af4c4, lpOverlapped=0x0 | out: lpBuffer=0xa483b8*, lpNumberOfBytesWritten=0x2af4c4*=0x2a968, lpOverlapped=0x0) returned 1 [0028.449] SetFileTime (hFile=0xbc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x2af610) returned 1 [0028.449] NtClose (Handle=0xbc) returned 0x0 [0028.450] OpenServiceW (hSCManager=0x421ba8, lpServiceName="ose64", dwDesiredAccess=0x10) returned 0x421c70 [0028.455] StartServiceW (hService=0x421c70, dwNumServiceArgs=0x0, lpServiceArgVectors=0x0) returned 1 [0035.320] CloseServiceHandle (hSCObject=0x421c70) returned 1 [0035.321] WaitForSingleObject (hHandle=0x11c, dwMilliseconds=0x1388) returned 0x0 [0035.344] CloseServiceHandle (hSCObject=0x421ba8) returned 1 [0035.347] ReleaseMutex (hMutex=0x148) returned 0 [0035.347] GetLastError () returned 0x120 [0035.348] DeleteFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\MOV7TW~1" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\mov7tw~1")) returned 1 [0035.349] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0035.349] ExitProcess (uExitCode=0x0) Thread: id = 4 os_tid = 0x964 Process: id = "3" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x4e24e000" os_pid = "0x968" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x954" cmd_line = "C:\\Windows\\system32\\vssadmin.exe Delete Shadows /All /Quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e814" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 343 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 344 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 345 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 346 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 347 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 348 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 349 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 350 start_va = 0x7ffff000 end_va = 0x7fffffff entry_point = 0x0 region_type = private name = "private_0x000000007ffff000" filename = "" Region: id = 351 start_va = 0xffac0000 end_va = 0xffaecfff entry_point = 0xffac0000 region_type = mapped_file name = "vssadmin.exe" filename = "\\Windows\\System32\\vssadmin.exe" (normalized: "c:\\windows\\system32\\vssadmin.exe") Region: id = 352 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 353 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 354 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 355 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 356 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 357 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 358 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 361 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 362 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 363 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 364 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 365 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 366 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 367 start_va = 0x7fef7e80000 end_va = 0x7fef7e96fff entry_point = 0x7fef7e80000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 368 start_va = 0x7fef7ea0000 end_va = 0x7fef804ffff entry_point = 0x7fef7ea0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 369 start_va = 0x7fefb260000 end_va = 0x7fefb278fff entry_point = 0x7fefb260000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 370 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 371 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 372 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 373 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 374 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 375 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 376 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 377 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 378 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 470 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 471 start_va = 0x560000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 472 start_va = 0x570000 end_va = 0x6f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 473 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 474 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 756 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 757 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 758 start_va = 0x1e0000 end_va = 0x1ecfff entry_point = 0x1e0000 region_type = mapped_file name = "vssadmin.exe.mui" filename = "\\Windows\\System32\\en-US\\vssadmin.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssadmin.exe.mui") Region: id = 759 start_va = 0x270000 end_va = 0x270fff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 760 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 761 start_va = 0x700000 end_va = 0x880fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 762 start_va = 0x890000 end_va = 0x1c8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 763 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 966 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 967 start_va = 0x4a0000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 968 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 969 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 970 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 971 start_va = 0x1ca0000 end_va = 0x1d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ca0000" filename = "" Region: id = 972 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 973 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 974 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 975 start_va = 0x1d20000 end_va = 0x1feefff entry_point = 0x1d20000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 976 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Thread: id = 5 os_tid = 0x96c Thread: id = 277 os_tid = 0x984 Thread: id = 278 os_tid = 0x988 Thread: id = 279 os_tid = 0x98c Thread: id = 280 os_tid = 0x990 Process: id = "4" image_name = "System" filename = "" page_root = "0x187000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_daemon" parent_id = "2" os_parent_pid = "0x954" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 2126 start_va = 0x10000 end_va = 0x32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2127 start_va = 0x40000 end_va = 0x5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2128 start_va = 0x60000 end_va = 0x7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2129 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 2130 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2131 start_va = 0x77a40000 end_va = 0x77bbffff entry_point = 0x77a40000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2132 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2133 start_va = 0x7fff23d0000 end_va = 0x7fff23fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff23d0000" filename = "" Region: id = 2134 start_va = 0x7fff28d0000 end_va = 0x7fff28fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff28d0000" filename = "" Region: id = 2135 start_va = 0x7fff2dd0000 end_va = 0x7fff2dfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff2dd0000" filename = "" Region: id = 2136 start_va = 0x7fff32d0000 end_va = 0x7fff32fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff32d0000" filename = "" Region: id = 2137 start_va = 0x7fff37d0000 end_va = 0x7fff37fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff37d0000" filename = "" Region: id = 2138 start_va = 0x7fff3cd0000 end_va = 0x7fff3cfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff3cd0000" filename = "" Region: id = 2139 start_va = 0x7fff41d0000 end_va = 0x7fff41fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff41d0000" filename = "" Region: id = 2140 start_va = 0x7fff46d0000 end_va = 0x7fff46fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff46d0000" filename = "" Region: id = 2141 start_va = 0x7fff4bd0000 end_va = 0x7fff4bfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff4bd0000" filename = "" Region: id = 2142 start_va = 0x7fff50d0000 end_va = 0x7fff50fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff50d0000" filename = "" Region: id = 2143 start_va = 0x7fff55d0000 end_va = 0x7fff55fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff55d0000" filename = "" Region: id = 2144 start_va = 0x7fff5ad0000 end_va = 0x7fff5afffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff5ad0000" filename = "" Region: id = 2145 start_va = 0x7fff5fd0000 end_va = 0x7fff5ffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff5fd0000" filename = "" Region: id = 2146 start_va = 0x7fff64d0000 end_va = 0x7fff64fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff64d0000" filename = "" Region: id = 2147 start_va = 0x7fff69d0000 end_va = 0x7fff69fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff69d0000" filename = "" Region: id = 2148 start_va = 0x7fff6ed0000 end_va = 0x7fff6efffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff6ed0000" filename = "" Region: id = 2149 start_va = 0x7fff73d0000 end_va = 0x7fff73fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff73d0000" filename = "" Region: id = 2150 start_va = 0x7fff78d0000 end_va = 0x7fff78fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff78d0000" filename = "" Region: id = 2151 start_va = 0x7fff7dd0000 end_va = 0x7fff7dfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff7dd0000" filename = "" Region: id = 2152 start_va = 0x7fff82d0000 end_va = 0x7fff82fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff82d0000" filename = "" Region: id = 2153 start_va = 0x7fff87d0000 end_va = 0x7fff87fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff87d0000" filename = "" Region: id = 2154 start_va = 0x7fff8cd0000 end_va = 0x7fff8cfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff8cd0000" filename = "" Region: id = 2155 start_va = 0x7fff91d0000 end_va = 0x7fff91fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff91d0000" filename = "" Region: id = 2156 start_va = 0x7fff96d0000 end_va = 0x7fff96fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff96d0000" filename = "" Region: id = 2157 start_va = 0x7fff9bd0000 end_va = 0x7fff9bfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fff9bd0000" filename = "" Region: id = 2158 start_va = 0x7fffa0d0000 end_va = 0x7fffa0fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffa0d0000" filename = "" Region: id = 2159 start_va = 0x7fffa5d0000 end_va = 0x7fffa5fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffa5d0000" filename = "" Region: id = 2160 start_va = 0x7fffaad0000 end_va = 0x7fffaafffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffaad0000" filename = "" Region: id = 2161 start_va = 0x7fffafd0000 end_va = 0x7fffaffffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffafd0000" filename = "" Region: id = 2162 start_va = 0x7fffb4d0000 end_va = 0x7fffb4fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffb4d0000" filename = "" Region: id = 2163 start_va = 0x7fffb9d0000 end_va = 0x7fffb9fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffb9d0000" filename = "" Region: id = 2164 start_va = 0x7fffbed0000 end_va = 0x7fffbefffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffbed0000" filename = "" Region: id = 2165 start_va = 0x7fffc3d0000 end_va = 0x7fffc3fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffc3d0000" filename = "" Region: id = 2166 start_va = 0x7fffc8d0000 end_va = 0x7fffc8fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffc8d0000" filename = "" Region: id = 2167 start_va = 0x7fffcdd0000 end_va = 0x7fffcdfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffcdd0000" filename = "" Region: id = 2168 start_va = 0x7fffd2d0000 end_va = 0x7fffd2fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffd2d0000" filename = "" Region: id = 2169 start_va = 0x7fffd7d0000 end_va = 0x7fffd7fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffd7d0000" filename = "" Region: id = 2170 start_va = 0x7fffdcd0000 end_va = 0x7fffdcfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffdcd0000" filename = "" Region: id = 2171 start_va = 0x7fffe1d0000 end_va = 0x7fffe1fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffe1d0000" filename = "" Region: id = 2172 start_va = 0x7fffe6d0000 end_va = 0x7fffe6fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffe6d0000" filename = "" Region: id = 2173 start_va = 0x7fffebd0000 end_va = 0x7fffebfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffebd0000" filename = "" Region: id = 2174 start_va = 0x7ffff0d0000 end_va = 0x7ffff0fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007ffff0d0000" filename = "" Region: id = 2175 start_va = 0x7ffff5d0000 end_va = 0x7ffff5fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007ffff5d0000" filename = "" Region: id = 2176 start_va = 0x7ffffad0000 end_va = 0x7ffffafffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007ffffad0000" filename = "" Thread: id = 6 os_tid = 0xbc Thread: id = 7 os_tid = 0x8f0 Thread: id = 8 os_tid = 0xf8 Thread: id = 9 os_tid = 0x5b8 Thread: id = 10 os_tid = 0xd0 Thread: id = 11 os_tid = 0x1bc Thread: id = 12 os_tid = 0xd4 Thread: id = 13 os_tid = 0x7c Thread: id = 14 os_tid = 0x368 Thread: id = 15 os_tid = 0x50 Thread: id = 16 os_tid = 0x73c Thread: id = 17 os_tid = 0x60 Thread: id = 18 os_tid = 0x590 Thread: id = 19 os_tid = 0x660 Thread: id = 20 os_tid = 0x490 Thread: id = 21 os_tid = 0x0 Thread: id = 22 os_tid = 0x18 Thread: id = 23 os_tid = 0x1c Thread: id = 24 os_tid = 0x494 Thread: id = 25 os_tid = 0x20 Thread: id = 26 os_tid = 0x71c Thread: id = 27 os_tid = 0x6f4 Thread: id = 28 os_tid = 0x6e8 Thread: id = 29 os_tid = 0x6b4 Thread: id = 30 os_tid = 0x6d0 Thread: id = 31 os_tid = 0x6c8 Thread: id = 32 os_tid = 0x6a4 Thread: id = 33 os_tid = 0x638 Thread: id = 34 os_tid = 0x5d4 Thread: id = 35 os_tid = 0x5c8 Thread: id = 36 os_tid = 0x94 Thread: id = 37 os_tid = 0x514 Thread: id = 38 os_tid = 0x110 Thread: id = 39 os_tid = 0x484 Thread: id = 40 os_tid = 0x5c Thread: id = 41 os_tid = 0x3dc Thread: id = 42 os_tid = 0x84 Thread: id = 43 os_tid = 0x24 Thread: id = 44 os_tid = 0x68 Thread: id = 45 os_tid = 0x334 Thread: id = 46 os_tid = 0x8c Thread: id = 47 os_tid = 0x98 Thread: id = 48 os_tid = 0x4c Thread: id = 49 os_tid = 0x9c Thread: id = 50 os_tid = 0x28c Thread: id = 51 os_tid = 0x74 Thread: id = 52 os_tid = 0x124 Thread: id = 53 os_tid = 0x100 Thread: id = 54 os_tid = 0x198 Thread: id = 55 os_tid = 0x78 Thread: id = 56 os_tid = 0xb4 Thread: id = 57 os_tid = 0xc4 Thread: id = 58 os_tid = 0x38 Thread: id = 59 os_tid = 0x3c Thread: id = 60 os_tid = 0x158 Thread: id = 61 os_tid = 0x154 Thread: id = 62 os_tid = 0x150 Thread: id = 63 os_tid = 0x130 Thread: id = 64 os_tid = 0x138 Thread: id = 65 os_tid = 0x90 Thread: id = 66 os_tid = 0x88 Thread: id = 67 os_tid = 0x80 Thread: id = 68 os_tid = 0x12c Thread: id = 69 os_tid = 0x128 Thread: id = 70 os_tid = 0xb8 Thread: id = 71 os_tid = 0x30 Thread: id = 72 os_tid = 0x34 Thread: id = 73 os_tid = 0xb0 Thread: id = 74 os_tid = 0x44 Thread: id = 75 os_tid = 0x28 Thread: id = 76 os_tid = 0x40 Thread: id = 77 os_tid = 0x2c Thread: id = 78 os_tid = 0x48 Thread: id = 79 os_tid = 0x10c Thread: id = 80 os_tid = 0xc0 Thread: id = 81 os_tid = 0x8 Thread: id = 302 os_tid = 0x9f8 Thread: id = 311 os_tid = 0xa90 Thread: id = 312 os_tid = 0xa94 Thread: id = 313 os_tid = 0xa98 Thread: id = 315 os_tid = 0xa9c Thread: id = 316 os_tid = 0xa8c Thread: id = 318 os_tid = 0xaa4 Thread: id = 320 os_tid = 0xabc Thread: id = 322 os_tid = 0xac4 Thread: id = 324 os_tid = 0xcc Thread: id = 329 os_tid = 0xb08 Thread: id = 332 os_tid = 0xb24 Thread: id = 335 os_tid = 0xb38 Thread: id = 338 os_tid = 0xb60 Thread: id = 339 os_tid = 0xb64 Thread: id = 340 os_tid = 0xb68 Thread: id = 341 os_tid = 0xb6c Thread: id = 342 os_tid = 0xb70 Thread: id = 350 os_tid = 0xb90 Thread: id = 355 os_tid = 0xba4 Thread: id = 356 os_tid = 0xba8 Thread: id = 357 os_tid = 0xbac Thread: id = 358 os_tid = 0xbb0 Thread: id = 359 os_tid = 0xbb4 Thread: id = 360 os_tid = 0xbb8 Thread: id = 368 os_tid = 0xbe0 Thread: id = 391 os_tid = 0x844 Thread: id = 394 os_tid = 0x870 Thread: id = 406 os_tid = 0x80c Thread: id = 464 os_tid = 0x33c Thread: id = 466 os_tid = 0x838 Thread: id = 467 os_tid = 0x948 Thread: id = 468 os_tid = 0x94c Thread: id = 469 os_tid = 0x574 Thread: id = 470 os_tid = 0x718 Thread: id = 471 os_tid = 0x81c Thread: id = 472 os_tid = 0x10 Thread: id = 473 os_tid = 0x14 Thread: id = 474 os_tid = 0x3e0 Thread: id = 480 os_tid = 0xa4 Process: id = "5" image_name = "services.exe" filename = "c:\\windows\\system32\\services.exe" page_root = "0x24c0c000" os_pid = "0x1d4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_daemon" parent_id = "2" os_parent_pid = "0x954" cmd_line = "C:\\Windows\\system32\\services.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 379 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 380 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 381 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 382 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 383 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 384 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 385 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 386 start_va = 0x160000 end_va = 0x160fff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 387 start_va = 0x180000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 388 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 389 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 390 start_va = 0x400000 end_va = 0x400fff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 391 start_va = 0x410000 end_va = 0x410fff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 392 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 393 start_va = 0x440000 end_va = 0x5c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 394 start_va = 0x5d0000 end_va = 0x750fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 395 start_va = 0x760000 end_va = 0x81ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 396 start_va = 0x820000 end_va = 0xc12fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 397 start_va = 0xd00000 end_va = 0xd3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 398 start_va = 0xdb0000 end_va = 0xe2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 399 start_va = 0xe40000 end_va = 0xebffff entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 400 start_va = 0xf00000 end_va = 0xf7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 401 start_va = 0xf90000 end_va = 0x100ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 402 start_va = 0x1020000 end_va = 0x109ffff entry_point = 0x0 region_type = private name = "private_0x0000000001020000" filename = "" Region: id = 403 start_va = 0x10d0000 end_va = 0x114ffff entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 404 start_va = 0x1160000 end_va = 0x11dffff entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 405 start_va = 0x11f0000 end_va = 0x126ffff entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 406 start_va = 0x1270000 end_va = 0x12effff entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 407 start_va = 0x1300000 end_va = 0x137ffff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 408 start_va = 0x15f0000 end_va = 0x166ffff entry_point = 0x0 region_type = private name = "private_0x00000000015f0000" filename = "" Region: id = 409 start_va = 0x1670000 end_va = 0x16effff entry_point = 0x0 region_type = private name = "private_0x0000000001670000" filename = "" Region: id = 410 start_va = 0x1730000 end_va = 0x17affff entry_point = 0x0 region_type = private name = "private_0x0000000001730000" filename = "" Region: id = 411 start_va = 0x17b0000 end_va = 0x18affff entry_point = 0x0 region_type = private name = "private_0x00000000017b0000" filename = "" Region: id = 412 start_va = 0x18b0000 end_va = 0x1b7efff entry_point = 0x18b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 413 start_va = 0x1b80000 end_va = 0x1c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b80000" filename = "" Region: id = 414 start_va = 0x1c80000 end_va = 0x1e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c80000" filename = "" Region: id = 415 start_va = 0x1e80000 end_va = 0x207ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e80000" filename = "" Region: id = 416 start_va = 0x2080000 end_va = 0x247ffff entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 417 start_va = 0x2590000 end_va = 0x260ffff entry_point = 0x0 region_type = private name = "private_0x0000000002590000" filename = "" Region: id = 418 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 419 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 420 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 421 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 422 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 423 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 424 start_va = 0xffeb0000 end_va = 0xfff02fff entry_point = 0xffeb0000 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 425 start_va = 0x7fefba10000 end_va = 0x7fefba20fff entry_point = 0x7fefba10000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 426 start_va = 0x7fefca40000 end_va = 0x7fefca46fff entry_point = 0x7fefca40000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 427 start_va = 0x7fefcc60000 end_va = 0x7fefcc98fff entry_point = 0x7fefcc60000 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 428 start_va = 0x7fefcca0000 end_va = 0x7fefcca9fff entry_point = 0x7fefcca0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 429 start_va = 0x7fefd030000 end_va = 0x7fefd036fff entry_point = 0x7fefd030000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 430 start_va = 0x7fefd040000 end_va = 0x7fefd094fff entry_point = 0x7fefd040000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 431 start_va = 0x7fefd290000 end_va = 0x7fefd2befff entry_point = 0x7fefd290000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 432 start_va = 0x7fefd5a0000 end_va = 0x7fefd5c2fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 433 start_va = 0x7fefd5d0000 end_va = 0x7fefd636fff entry_point = 0x7fefd5d0000 region_type = mapped_file name = "scesrv.dll" filename = "\\Windows\\System32\\scesrv.dll" (normalized: "c:\\windows\\system32\\scesrv.dll") Region: id = 434 start_va = 0x7fefd640000 end_va = 0x7fefd64afff entry_point = 0x7fefd640000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 435 start_va = 0x7fefd650000 end_va = 0x7fefd668fff entry_point = 0x7fefd650000 region_type = mapped_file name = "scext.dll" filename = "\\Windows\\System32\\scext.dll" (normalized: "c:\\windows\\system32\\scext.dll") Region: id = 436 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 437 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 438 start_va = 0x7fefd750000 end_va = 0x7fefd78cfff entry_point = 0x7fefd750000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 439 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 440 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff entry_point = 0x7fefd7b0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 441 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 442 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 443 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 444 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 445 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 446 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 447 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 448 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 449 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 450 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 451 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 452 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 453 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 454 start_va = 0x7fffff98000 end_va = 0x7fffff99fff entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 455 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 456 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 457 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 458 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 459 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 460 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 461 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 462 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 463 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 464 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 465 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 466 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 467 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 468 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 469 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3414 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 3415 start_va = 0xeb0000 end_va = 0xf2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 3416 start_va = 0x7fefd1f0000 end_va = 0x7fefd1f7fff entry_point = 0x7fefd1f0000 region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Thread: id = 82 os_tid = 0x484 Thread: id = 83 os_tid = 0x4ec Thread: id = 84 os_tid = 0x4e0 Thread: id = 85 os_tid = 0x4b8 Thread: id = 86 os_tid = 0x1c8 Thread: id = 87 os_tid = 0x288 Thread: id = 88 os_tid = 0x250 Thread: id = 89 os_tid = 0x24c Thread: id = 90 os_tid = 0x23c Thread: id = 91 os_tid = 0x238 Thread: id = 92 os_tid = 0x22c Thread: id = 93 os_tid = 0x228 Thread: id = 94 os_tid = 0x224 Thread: id = 95 os_tid = 0x220 Thread: id = 366 os_tid = 0xbdc Thread: id = 409 os_tid = 0x720 Thread: id = 410 os_tid = 0x75c Thread: id = 425 os_tid = 0x680 Thread: id = 440 os_tid = 0x914 Thread: id = 444 os_tid = 0x8ac Thread: id = 446 os_tid = 0x8a0 Thread: id = 447 os_tid = 0x8bc Thread: id = 448 os_tid = 0x8cc Thread: id = 449 os_tid = 0x8d0 Thread: id = 451 os_tid = 0x89c Thread: id = 452 os_tid = 0x8f0 Thread: id = 454 os_tid = 0x8e8 Thread: id = 455 os_tid = 0x938 Thread: id = 456 os_tid = 0x880 Thread: id = 457 os_tid = 0x888 Thread: id = 458 os_tid = 0x898 Thread: id = 459 os_tid = 0x944 Thread: id = 460 os_tid = 0x830 Thread: id = 462 os_tid = 0x824 Thread: id = 463 os_tid = 0x82c Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xb128000" os_pid = "0x254" os_integrity_level = "0x4000" os_privileges = "0x60b00080" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x1d4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\DcomLaunch" [0xa], "NT SERVICE\\PlugPlay" [0xe], "NT SERVICE\\Power" [0xa], "NT AUTHORITY\\Logon Session 00000000:00006ac7" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 844 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 845 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 846 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 847 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 848 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 849 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 850 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 851 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 852 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 853 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 854 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 855 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 856 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 857 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 858 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 859 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 860 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x2d0000 region_type = mapped_file name = "umpnpmgr.dll.mui" filename = "\\Windows\\System32\\en-US\\umpnpmgr.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpnpmgr.dll.mui") Region: id = 861 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 862 start_va = 0x420000 end_va = 0x5a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 863 start_va = 0x5c0000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 864 start_va = 0x650000 end_va = 0x6cffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 865 start_va = 0x7c0000 end_va = 0xa8efff entry_point = 0x7c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 866 start_va = 0xa90000 end_va = 0xc10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Region: id = 867 start_va = 0xc20000 end_va = 0xcdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c20000" filename = "" Region: id = 868 start_va = 0xce0000 end_va = 0x10d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 869 start_va = 0x1190000 end_va = 0x119ffff entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 870 start_va = 0x11e0000 end_va = 0x125ffff entry_point = 0x0 region_type = private name = "private_0x00000000011e0000" filename = "" Region: id = 871 start_va = 0x12a0000 end_va = 0x131ffff entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 872 start_va = 0x13c0000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 873 start_va = 0x14d0000 end_va = 0x154ffff entry_point = 0x0 region_type = private name = "private_0x00000000014d0000" filename = "" Region: id = 874 start_va = 0x15a0000 end_va = 0x161ffff entry_point = 0x0 region_type = private name = "private_0x00000000015a0000" filename = "" Region: id = 875 start_va = 0x1690000 end_va = 0x170ffff entry_point = 0x0 region_type = private name = "private_0x0000000001690000" filename = "" Region: id = 876 start_va = 0x1740000 end_va = 0x17bffff entry_point = 0x0 region_type = private name = "private_0x0000000001740000" filename = "" Region: id = 877 start_va = 0x17c0000 end_va = 0x18bffff entry_point = 0x0 region_type = private name = "private_0x00000000017c0000" filename = "" Region: id = 878 start_va = 0x18e0000 end_va = 0x195ffff entry_point = 0x0 region_type = private name = "private_0x00000000018e0000" filename = "" Region: id = 879 start_va = 0x1980000 end_va = 0x19fffff entry_point = 0x0 region_type = private name = "private_0x0000000001980000" filename = "" Region: id = 880 start_va = 0x1be0000 end_va = 0x1c5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001be0000" filename = "" Region: id = 881 start_va = 0x1cd0000 end_va = 0x1d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 882 start_va = 0x1d50000 end_va = 0x1e4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d50000" filename = "" Region: id = 883 start_va = 0x1e50000 end_va = 0x1f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e50000" filename = "" Region: id = 884 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 885 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 886 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 887 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 888 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 889 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 890 start_va = 0xfff20000 end_va = 0xfff2afff entry_point = 0xfff20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 891 start_va = 0x7fef7040000 end_va = 0x7fef7065fff entry_point = 0x7fef7040000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 892 start_va = 0x7fef7070000 end_va = 0x7fef7083fff entry_point = 0x7fef7070000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 893 start_va = 0x7fef7370000 end_va = 0x7fef737efff entry_point = 0x7fef7370000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 894 start_va = 0x7fef7380000 end_va = 0x7fef73a6fff entry_point = 0x7fef7380000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 895 start_va = 0x7fef73b0000 end_va = 0x7fef7491fff entry_point = 0x7fef73b0000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 896 start_va = 0x7fef74a0000 end_va = 0x7fef74d1fff entry_point = 0x7fef74a0000 region_type = mapped_file name = "wmidcprv.dll" filename = "\\Windows\\System32\\wbem\\WmiDcPrv.dll" (normalized: "c:\\windows\\system32\\wbem\\wmidcprv.dll") Region: id = 897 start_va = 0x7fef7690000 end_va = 0x7fef7715fff entry_point = 0x7fef7690000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 898 start_va = 0x7fefba10000 end_va = 0x7fefba20fff entry_point = 0x7fefba10000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 899 start_va = 0x7fefc7a0000 end_va = 0x7fefc7ccfff entry_point = 0x7fefc7a0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 900 start_va = 0x7fefca70000 end_va = 0x7fefcaf0fff entry_point = 0x7fefca70000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 901 start_va = 0x7fefcb00000 end_va = 0x7fefcb2bfff entry_point = 0x7fefcb00000 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 902 start_va = 0x7fefcb30000 end_va = 0x7fefcb4afff entry_point = 0x7fefcb30000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 903 start_va = 0x7fefcb50000 end_va = 0x7fefcb6dfff entry_point = 0x7fefcb50000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 904 start_va = 0x7fefcb70000 end_va = 0x7fefcb81fff entry_point = 0x7fefcb70000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 905 start_va = 0x7fefcb90000 end_va = 0x7fefcbaefff entry_point = 0x7fefcb90000 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 906 start_va = 0x7fefcbb0000 end_va = 0x7fefcc16fff entry_point = 0x7fefcbb0000 region_type = mapped_file name = "umpnpmgr.dll" filename = "\\Windows\\System32\\umpnpmgr.dll" (normalized: "c:\\windows\\system32\\umpnpmgr.dll") Region: id = 907 start_va = 0x7fefcca0000 end_va = 0x7fefcca9fff entry_point = 0x7fefcca0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 908 start_va = 0x7fefccb0000 end_va = 0x7fefccbcfff entry_point = 0x7fefccb0000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 909 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 910 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 911 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 912 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 913 start_va = 0x7fefd750000 end_va = 0x7fefd78cfff entry_point = 0x7fefd750000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 914 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 915 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff entry_point = 0x7fefd7b0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 916 start_va = 0x7fefd850000 end_va = 0x7fefd85efff entry_point = 0x7fefd850000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 917 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 918 start_va = 0x7fefd970000 end_va = 0x7fefd989fff entry_point = 0x7fefd970000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 919 start_va = 0x7fefd990000 end_va = 0x7fefdaf6fff entry_point = 0x7fefd990000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 920 start_va = 0x7fefdb00000 end_va = 0x7fefdb35fff entry_point = 0x7fefdb00000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 921 start_va = 0x7fefdb40000 end_va = 0x7fefdb79fff entry_point = 0x7fefdb40000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 922 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 923 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 924 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 925 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 926 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 927 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 928 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 929 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 930 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 931 start_va = 0x7feff300000 end_va = 0x7feff4d6fff entry_point = 0x7feff300000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 932 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 933 start_va = 0x7feff600000 end_va = 0x7feff651fff entry_point = 0x7feff600000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 934 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 935 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 936 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 937 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 938 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 939 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 940 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 941 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 942 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 943 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 944 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 945 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 946 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 947 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 948 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 949 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 950 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 951 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 952 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 96 os_tid = 0x684 Thread: id = 97 os_tid = 0x668 Thread: id = 98 os_tid = 0x2a0 Thread: id = 99 os_tid = 0x29c Thread: id = 100 os_tid = 0x284 Thread: id = 101 os_tid = 0x280 Thread: id = 102 os_tid = 0x27c Thread: id = 103 os_tid = 0x278 Thread: id = 104 os_tid = 0x26c Thread: id = 105 os_tid = 0x264 Thread: id = 106 os_tid = 0x260 Thread: id = 107 os_tid = 0x258 Thread: id = 285 os_tid = 0x9a8 Thread: id = 427 os_tid = 0x538 Thread: id = 478 os_tid = 0x95c Process: id = "7" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x2b664000" os_pid = "0x294" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x1d4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k RPCSS" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\RpcEptMapper" [0xe], "NT SERVICE\\RpcSs" [0xa], "NT AUTHORITY\\Logon Session 00000000:00009393" [0xc000000f], "LOCAL" [0x7] Region: id = 764 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 765 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 766 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 767 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 768 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 769 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 770 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 771 start_va = 0x160000 end_va = 0x160fff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 772 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 773 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 774 start_va = 0x1a0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 775 start_va = 0x1f0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 776 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 777 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 778 start_va = 0x530000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 779 start_va = 0x630000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 780 start_va = 0x710000 end_va = 0x9defff entry_point = 0x710000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 781 start_va = 0xa30000 end_va = 0xaaffff entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 782 start_va = 0xad0000 end_va = 0xb4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 783 start_va = 0xbc0000 end_va = 0xc3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000bc0000" filename = "" Region: id = 784 start_va = 0xc40000 end_va = 0xdc7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 785 start_va = 0xdd0000 end_va = 0xf50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 786 start_va = 0xf60000 end_va = 0x101ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f60000" filename = "" Region: id = 787 start_va = 0x1020000 end_va = 0x1412fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001020000" filename = "" Region: id = 788 start_va = 0x1450000 end_va = 0x14cffff entry_point = 0x0 region_type = private name = "private_0x0000000001450000" filename = "" Region: id = 789 start_va = 0x14f0000 end_va = 0x156ffff entry_point = 0x0 region_type = private name = "private_0x00000000014f0000" filename = "" Region: id = 790 start_va = 0x1570000 end_va = 0x166ffff entry_point = 0x0 region_type = private name = "private_0x0000000001570000" filename = "" Region: id = 791 start_va = 0x16c0000 end_va = 0x173ffff entry_point = 0x0 region_type = private name = "private_0x00000000016c0000" filename = "" Region: id = 792 start_va = 0x1770000 end_va = 0x17effff entry_point = 0x0 region_type = private name = "private_0x0000000001770000" filename = "" Region: id = 793 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 794 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 795 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 796 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 797 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 798 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 799 start_va = 0xfff20000 end_va = 0xfff2afff entry_point = 0xfff20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 800 start_va = 0x7fefafe0000 end_va = 0x7fefb032fff entry_point = 0x7fefafe0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 801 start_va = 0x7fefba10000 end_va = 0x7fefba20fff entry_point = 0x7fefba10000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 802 start_va = 0x7fefc970000 end_va = 0x7fefc97bfff entry_point = 0x7fefc970000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 803 start_va = 0x7fefc980000 end_va = 0x7fefca3afff entry_point = 0x7fefc980000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 804 start_va = 0x7fefca40000 end_va = 0x7fefca46fff entry_point = 0x7fefca40000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 805 start_va = 0x7fefca50000 end_va = 0x7fefca63fff entry_point = 0x7fefca50000 region_type = mapped_file name = "rpcepmap.dll" filename = "\\Windows\\System32\\RpcEpMap.dll" (normalized: "c:\\windows\\system32\\rpcepmap.dll") Region: id = 806 start_va = 0x7fefca70000 end_va = 0x7fefcaf0fff entry_point = 0x7fefca70000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 807 start_va = 0x7fefcca0000 end_va = 0x7fefcca9fff entry_point = 0x7fefcca0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 808 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 809 start_va = 0x7fefd030000 end_va = 0x7fefd036fff entry_point = 0x7fefd030000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 810 start_va = 0x7fefd040000 end_va = 0x7fefd094fff entry_point = 0x7fefd040000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 811 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 812 start_va = 0x7fefd640000 end_va = 0x7fefd64afff entry_point = 0x7fefd640000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 813 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 814 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 815 start_va = 0x7fefd750000 end_va = 0x7fefd78cfff entry_point = 0x7fefd750000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 816 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 817 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 818 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 819 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 820 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 821 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 822 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 823 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 824 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 825 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 826 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 827 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 828 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 829 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 830 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 831 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 832 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 833 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 834 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 835 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 836 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 837 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 838 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 839 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 840 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 841 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 842 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 843 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 108 os_tid = 0x788 Thread: id = 109 os_tid = 0x740 Thread: id = 110 os_tid = 0x3fc Thread: id = 111 os_tid = 0x2c0 Thread: id = 112 os_tid = 0x2bc Thread: id = 113 os_tid = 0x2b8 Thread: id = 114 os_tid = 0x2b4 Thread: id = 115 os_tid = 0x2ac Thread: id = 116 os_tid = 0x298 Thread: id = 428 os_tid = 0x638 Process: id = "8" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x2b274000" os_pid = "0x2c8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x1d4" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000969f" [0xc000000f], "LOCAL" [0x7] Region: id = 1198 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1199 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1200 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1201 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 1202 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1203 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1204 start_va = 0x140000 end_va = 0x141fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 1205 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1206 start_va = 0x160000 end_va = 0x160fff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 1207 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1208 start_va = 0x1b0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1209 start_va = 0x1c0000 end_va = 0x1dffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1210 start_va = 0x1e0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1211 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1212 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 1213 start_va = 0x400000 end_va = 0x587fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1214 start_va = 0x590000 end_va = 0x710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 1215 start_va = 0x720000 end_va = 0x7dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 1216 start_va = 0x7e0000 end_va = 0xbd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1217 start_va = 0xbe0000 end_va = 0xbfffff entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 1218 start_va = 0xc00000 end_va = 0xc00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c00000" filename = "" Region: id = 1219 start_va = 0xc10000 end_va = 0xc10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c10000" filename = "" Region: id = 1220 start_va = 0xc20000 end_va = 0xc20fff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 1221 start_va = 0xc30000 end_va = 0xc30fff entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 1222 start_va = 0xc40000 end_va = 0xcbffff entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 1223 start_va = 0xcc0000 end_va = 0xd3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 1224 start_va = 0xd40000 end_va = 0xdbffff entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 1225 start_va = 0xdc0000 end_va = 0xe3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 1226 start_va = 0xe40000 end_va = 0xe40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e40000" filename = "" Region: id = 1227 start_va = 0xe50000 end_va = 0xe51fff entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 1228 start_va = 0xe60000 end_va = 0xe60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e60000" filename = "" Region: id = 1229 start_va = 0xe70000 end_va = 0xeeffff entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 1230 start_va = 0xef0000 end_va = 0x11befff entry_point = 0xef0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1231 start_va = 0x11c0000 end_va = 0x12bffff entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 1232 start_va = 0x12c0000 end_va = 0x133ffff entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 1233 start_va = 0x1380000 end_va = 0x1387fff entry_point = 0x0 region_type = private name = "private_0x0000000001380000" filename = "" Region: id = 1234 start_va = 0x13a0000 end_va = 0x141ffff entry_point = 0x0 region_type = private name = "private_0x00000000013a0000" filename = "" Region: id = 1235 start_va = 0x1420000 end_va = 0x151ffff entry_point = 0x0 region_type = private name = "private_0x0000000001420000" filename = "" Region: id = 1236 start_va = 0x1560000 end_va = 0x15dffff entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 1237 start_va = 0x1620000 end_va = 0x169ffff entry_point = 0x0 region_type = private name = "private_0x0000000001620000" filename = "" Region: id = 1238 start_va = 0x16c0000 end_va = 0x173ffff entry_point = 0x0 region_type = private name = "private_0x00000000016c0000" filename = "" Region: id = 1239 start_va = 0x1780000 end_va = 0x17fffff entry_point = 0x0 region_type = private name = "private_0x0000000001780000" filename = "" Region: id = 1240 start_va = 0x1860000 end_va = 0x18dffff entry_point = 0x0 region_type = private name = "private_0x0000000001860000" filename = "" Region: id = 1241 start_va = 0x1900000 end_va = 0x197ffff entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 1242 start_va = 0x1980000 end_va = 0x19fffff entry_point = 0x0 region_type = private name = "private_0x0000000001980000" filename = "" Region: id = 1243 start_va = 0x1a50000 end_va = 0x1acffff entry_point = 0x0 region_type = private name = "private_0x0000000001a50000" filename = "" Region: id = 1244 start_va = 0x1ad0000 end_va = 0x1b31fff entry_point = 0x1ad0000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 1245 start_va = 0x1b40000 end_va = 0x1bbffff entry_point = 0x0 region_type = private name = "private_0x0000000001b40000" filename = "" Region: id = 1246 start_va = 0x1bc0000 end_va = 0x1dbffff entry_point = 0x0 region_type = private name = "private_0x0000000001bc0000" filename = "" Region: id = 1247 start_va = 0x1e10000 end_va = 0x1e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 1248 start_va = 0x1fb0000 end_va = 0x202ffff entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 1249 start_va = 0x20f0000 end_va = 0x24effff entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 1250 start_va = 0x24f0000 end_va = 0x28f2fff entry_point = 0x0 region_type = private name = "private_0x00000000024f0000" filename = "" Region: id = 1251 start_va = 0x2990000 end_va = 0x2a0ffff entry_point = 0x0 region_type = private name = "private_0x0000000002990000" filename = "" Region: id = 1252 start_va = 0x73f70000 end_va = 0x73f72fff entry_point = 0x73f70000 region_type = mapped_file name = "winmgmtr.dll" filename = "\\Windows\\System32\\wbem\\WinMgmtR.dll" (normalized: "c:\\windows\\system32\\wbem\\winmgmtr.dll") Region: id = 1253 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1254 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1255 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1256 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1257 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1258 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1259 start_va = 0xff930000 end_va = 0xff991fff entry_point = 0xff930000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 1260 start_va = 0xffeb0000 end_va = 0xfff02fff entry_point = 0xffeb0000 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 1261 start_va = 0xfff20000 end_va = 0xfff2afff entry_point = 0xfff20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1262 start_va = 0x7fef80f0000 end_va = 0x7fef813efff entry_point = 0x7fef80f0000 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 1263 start_va = 0x7fefaef0000 end_va = 0x7fefaf07fff entry_point = 0x7fefaef0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1264 start_va = 0x7fefaf10000 end_va = 0x7fefaf20fff entry_point = 0x7fefaf10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1265 start_va = 0x7fefb070000 end_va = 0x7fefb0aafff entry_point = 0x7fefb070000 region_type = mapped_file name = "dhcpcore6.dll" filename = "\\Windows\\System32\\dhcpcore6.dll" (normalized: "c:\\windows\\system32\\dhcpcore6.dll") Region: id = 1266 start_va = 0x7fefb0b0000 end_va = 0x7fefb100fff entry_point = 0x7fefb0b0000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 1267 start_va = 0x7fefb120000 end_va = 0x7fefb127fff entry_point = 0x7fefb120000 region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Region: id = 1268 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1269 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1270 start_va = 0x7fefb170000 end_va = 0x7fefb179fff entry_point = 0x7fefb170000 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 1271 start_va = 0x7fefc530000 end_va = 0x7fefc538fff entry_point = 0x7fefc530000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 1272 start_va = 0x7fefc540000 end_va = 0x7fefc66bfff entry_point = 0x7fefc540000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1273 start_va = 0x7fefc670000 end_va = 0x7fefc6bafff entry_point = 0x7fefc670000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 1274 start_va = 0x7fefc6c0000 end_va = 0x7fefc6ebfff entry_point = 0x7fefc6c0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1275 start_va = 0x7fefc6f0000 end_va = 0x7fefc79bfff entry_point = 0x7fefc6f0000 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 1276 start_va = 0x7fefc7a0000 end_va = 0x7fefc7ccfff entry_point = 0x7fefc7a0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1277 start_va = 0x7fefc7d0000 end_va = 0x7fefc965fff entry_point = 0x7fefc7d0000 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 1278 start_va = 0x7fefc970000 end_va = 0x7fefc97bfff entry_point = 0x7fefc970000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1279 start_va = 0x7fefc980000 end_va = 0x7fefca3afff entry_point = 0x7fefc980000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1280 start_va = 0x7fefca40000 end_va = 0x7fefca46fff entry_point = 0x7fefca40000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1281 start_va = 0x7fefcb30000 end_va = 0x7fefcb4afff entry_point = 0x7fefcb30000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1282 start_va = 0x7fefcca0000 end_va = 0x7fefcca9fff entry_point = 0x7fefcca0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1283 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1284 start_va = 0x7fefcec0000 end_va = 0x7fefcf1afff entry_point = 0x7fefcec0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1285 start_va = 0x7fefd030000 end_va = 0x7fefd036fff entry_point = 0x7fefd030000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1286 start_va = 0x7fefd040000 end_va = 0x7fefd094fff entry_point = 0x7fefd040000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1287 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1288 start_va = 0x7fefd2d0000 end_va = 0x7fefd33cfff entry_point = 0x7fefd2d0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1289 start_va = 0x7fefd640000 end_va = 0x7fefd64afff entry_point = 0x7fefd640000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1290 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1291 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1292 start_va = 0x7fefd750000 end_va = 0x7fefd78cfff entry_point = 0x7fefd750000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1293 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1294 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1295 start_va = 0x7fefd970000 end_va = 0x7fefd989fff entry_point = 0x7fefd970000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1296 start_va = 0x7fefdb00000 end_va = 0x7fefdb35fff entry_point = 0x7fefdb00000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1297 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1298 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1299 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1300 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1301 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1302 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1303 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1304 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1305 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1306 start_va = 0x7feff300000 end_va = 0x7feff4d6fff entry_point = 0x7feff300000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1307 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1308 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1309 start_va = 0x7feff600000 end_va = 0x7feff651fff entry_point = 0x7feff600000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1310 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1311 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1312 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1313 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1314 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1315 start_va = 0x7fffff94000 end_va = 0x7fffff95fff entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 1316 start_va = 0x7fffff96000 end_va = 0x7fffff97fff entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 1317 start_va = 0x7fffff98000 end_va = 0x7fffff99fff entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 1318 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 1319 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 1320 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 1321 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 1322 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 1323 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 1324 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 1325 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 1326 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 1327 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 1328 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1329 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 1330 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 1331 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 1332 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 1333 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1334 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 1335 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2877 start_va = 0x1340000 end_va = 0x134ffff entry_point = 0x0 region_type = private name = "private_0x0000000001340000" filename = "" Region: id = 2878 start_va = 0x1f40000 end_va = 0x1f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 2879 start_va = 0x2ad0000 end_va = 0x2b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ad0000" filename = "" Region: id = 2880 start_va = 0x7fef6d60000 end_va = 0x7fef6d67fff entry_point = 0x7fef6d60000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 2881 start_va = 0x7fefb300000 end_va = 0x7fefb314fff entry_point = 0x7fefb300000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 2882 start_va = 0x7fefb990000 end_va = 0x7fefb9a8fff entry_point = 0x7fefb990000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 2883 start_va = 0x7fefb9b0000 end_va = 0x7fefb9c4fff entry_point = 0x7fefb9b0000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 2884 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 2885 start_va = 0x7fefafe0000 end_va = 0x7fefb032fff entry_point = 0x7fefafe0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Thread: id = 117 os_tid = 0x890 Thread: id = 118 os_tid = 0x230 Thread: id = 119 os_tid = 0x598 Thread: id = 120 os_tid = 0x6a8 Thread: id = 121 os_tid = 0x618 Thread: id = 122 os_tid = 0x5e4 Thread: id = 123 os_tid = 0x5e0 Thread: id = 124 os_tid = 0x5dc Thread: id = 125 os_tid = 0x334 Thread: id = 126 os_tid = 0x1e0 Thread: id = 127 os_tid = 0x3c4 Thread: id = 128 os_tid = 0x3bc Thread: id = 129 os_tid = 0x3ac Thread: id = 130 os_tid = 0x300 Thread: id = 131 os_tid = 0x2fc Thread: id = 132 os_tid = 0x2ec Thread: id = 133 os_tid = 0x2e4 Thread: id = 134 os_tid = 0x2d4 Thread: id = 135 os_tid = 0x2cc Thread: id = 309 os_tid = 0xa80 Thread: id = 405 os_tid = 0x410 Thread: id = 429 os_tid = 0x810 Process: id = "9" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x2af7a000" os_pid = "0x310" os_integrity_level = "0x4000" os_privileges = "0x60b16080" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x1d4" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000a789" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1336 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1337 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1338 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1339 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1340 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1341 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1342 start_va = 0x140000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 1343 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1344 start_va = 0x340000 end_va = 0x341fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 1345 start_va = 0x350000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 1346 start_va = 0x360000 end_va = 0x4e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 1347 start_va = 0x4f0000 end_va = 0x670fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 1348 start_va = 0x680000 end_va = 0x73ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 1349 start_va = 0x740000 end_va = 0xb32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 1350 start_va = 0xb40000 end_va = 0xb40fff entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 1351 start_va = 0xb50000 end_va = 0xb50fff entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 1352 start_va = 0xb60000 end_va = 0xb60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 1353 start_va = 0xb70000 end_va = 0xb70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b70000" filename = "" Region: id = 1354 start_va = 0xb80000 end_va = 0xb80fff entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 1355 start_va = 0xb90000 end_va = 0xb90fff entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 1356 start_va = 0xba0000 end_va = 0xba1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 1357 start_va = 0xbb0000 end_va = 0xbb1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bb0000" filename = "" Region: id = 1358 start_va = 0xbc0000 end_va = 0xbc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 1359 start_va = 0xbd0000 end_va = 0xbd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bd0000" filename = "" Region: id = 1360 start_va = 0xbe0000 end_va = 0xc5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 1361 start_va = 0xc60000 end_va = 0xcdffff entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 1362 start_va = 0xce0000 end_va = 0xd5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 1363 start_va = 0xd60000 end_va = 0xd6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 1364 start_va = 0xd70000 end_va = 0xd70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 1365 start_va = 0xd80000 end_va = 0xd80fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 1366 start_va = 0xd90000 end_va = 0xe0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 1367 start_va = 0xe10000 end_va = 0xe8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 1368 start_va = 0xe90000 end_va = 0xe94fff entry_point = 0xe90000 region_type = mapped_file name = "sysmain.dll.mui" filename = "\\Windows\\System32\\en-US\\sysmain.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\sysmain.dll.mui") Region: id = 1369 start_va = 0xec0000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 1370 start_va = 0xf40000 end_va = 0x120efff entry_point = 0xf40000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1371 start_va = 0x12c0000 end_va = 0x133ffff entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 1372 start_va = 0x1360000 end_va = 0x13dffff entry_point = 0x0 region_type = private name = "private_0x0000000001360000" filename = "" Region: id = 1373 start_va = 0x13e0000 end_va = 0x145ffff entry_point = 0x0 region_type = private name = "private_0x00000000013e0000" filename = "" Region: id = 1374 start_va = 0x14a0000 end_va = 0x151ffff entry_point = 0x0 region_type = private name = "private_0x00000000014a0000" filename = "" Region: id = 1375 start_va = 0x1550000 end_va = 0x15cffff entry_point = 0x0 region_type = private name = "private_0x0000000001550000" filename = "" Region: id = 1376 start_va = 0x15d0000 end_va = 0x164ffff entry_point = 0x0 region_type = private name = "private_0x00000000015d0000" filename = "" Region: id = 1377 start_va = 0x1680000 end_va = 0x16fffff entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Region: id = 1378 start_va = 0x1730000 end_va = 0x17affff entry_point = 0x0 region_type = private name = "private_0x0000000001730000" filename = "" Region: id = 1379 start_va = 0x17d0000 end_va = 0x184ffff entry_point = 0x0 region_type = private name = "private_0x00000000017d0000" filename = "" Region: id = 1380 start_va = 0x1850000 end_va = 0x18cffff entry_point = 0x0 region_type = private name = "private_0x0000000001850000" filename = "" Region: id = 1381 start_va = 0x1a10000 end_va = 0x1a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a10000" filename = "" Region: id = 1382 start_va = 0x1a90000 end_va = 0x1b8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a90000" filename = "" Region: id = 1383 start_va = 0x1c00000 end_va = 0x1c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 1384 start_va = 0x1d10000 end_va = 0x1d8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d10000" filename = "" Region: id = 1385 start_va = 0x1d90000 end_va = 0x1e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d90000" filename = "" Region: id = 1386 start_va = 0x1ed0000 end_va = 0x1f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 1387 start_va = 0x1f70000 end_va = 0x1f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 1388 start_va = 0x1f80000 end_va = 0x207ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 1389 start_va = 0x2130000 end_va = 0x213ffff entry_point = 0x0 region_type = private name = "private_0x0000000002130000" filename = "" Region: id = 1390 start_va = 0x2180000 end_va = 0x21fffff entry_point = 0x0 region_type = private name = "private_0x0000000002180000" filename = "" Region: id = 1391 start_va = 0x2200000 end_va = 0x22fffff entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 1392 start_va = 0x2340000 end_va = 0x234ffff entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 1393 start_va = 0x23b0000 end_va = 0x242ffff entry_point = 0x0 region_type = private name = "private_0x00000000023b0000" filename = "" Region: id = 1394 start_va = 0x2430000 end_va = 0x252ffff entry_point = 0x0 region_type = private name = "private_0x0000000002430000" filename = "" Region: id = 1395 start_va = 0x2530000 end_va = 0x253ffff entry_point = 0x0 region_type = private name = "private_0x0000000002530000" filename = "" Region: id = 1396 start_va = 0x2590000 end_va = 0x260ffff entry_point = 0x0 region_type = private name = "private_0x0000000002590000" filename = "" Region: id = 1397 start_va = 0x2650000 end_va = 0x265ffff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 1398 start_va = 0x2660000 end_va = 0x275ffff entry_point = 0x0 region_type = private name = "private_0x0000000002660000" filename = "" Region: id = 1399 start_va = 0x27d0000 end_va = 0x27dffff entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 1400 start_va = 0x2800000 end_va = 0x280ffff entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 1401 start_va = 0x2810000 end_va = 0x290ffff entry_point = 0x0 region_type = private name = "private_0x0000000002810000" filename = "" Region: id = 1402 start_va = 0x29f0000 end_va = 0x29fffff entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 1403 start_va = 0x2a00000 end_va = 0x2b33fff entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 1404 start_va = 0x2be0000 end_va = 0x2c5ffff entry_point = 0x0 region_type = private name = "private_0x0000000002be0000" filename = "" Region: id = 1405 start_va = 0x2c60000 end_va = 0x345ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c60000" filename = "" Region: id = 1406 start_va = 0x34a0000 end_va = 0x351ffff entry_point = 0x0 region_type = private name = "private_0x00000000034a0000" filename = "" Region: id = 1407 start_va = 0x3a50000 end_va = 0x3c4ffff entry_point = 0x0 region_type = private name = "private_0x0000000003a50000" filename = "" Region: id = 1408 start_va = 0x3c50000 end_va = 0x404ffff entry_point = 0x0 region_type = private name = "private_0x0000000003c50000" filename = "" Region: id = 1409 start_va = 0x4050000 end_va = 0x484ffff entry_point = 0x0 region_type = private name = "private_0x0000000004050000" filename = "" Region: id = 1410 start_va = 0x4850000 end_va = 0x581ffff entry_point = 0x0 region_type = private name = "private_0x0000000004850000" filename = "" Region: id = 1411 start_va = 0x5820000 end_va = 0x67effff entry_point = 0x0 region_type = private name = "private_0x0000000005820000" filename = "" Region: id = 1412 start_va = 0x73f90000 end_va = 0x73f92fff entry_point = 0x73f90000 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 1413 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1414 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1415 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1416 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1417 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1418 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1419 start_va = 0xfff20000 end_va = 0xfff2afff entry_point = 0xfff20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1420 start_va = 0x7fef62d0000 end_va = 0x7fef630efff entry_point = 0x7fef62d0000 region_type = mapped_file name = "cscobj.dll" filename = "\\Windows\\System32\\cscobj.dll" (normalized: "c:\\windows\\system32\\cscobj.dll") Region: id = 1421 start_va = 0x7fef6310000 end_va = 0x7fef6371fff entry_point = 0x7fef6310000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 1422 start_va = 0x7fef6380000 end_va = 0x7fef6457fff entry_point = 0x7fef6380000 region_type = mapped_file name = "rasdlg.dll" filename = "\\Windows\\System32\\rasdlg.dll" (normalized: "c:\\windows\\system32\\rasdlg.dll") Region: id = 1423 start_va = 0x7fef6620000 end_va = 0x7fef68aafff entry_point = 0x7fef6620000 region_type = mapped_file name = "netshell.dll" filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll") Region: id = 1424 start_va = 0x7fef69b0000 end_va = 0x7fef69bbfff entry_point = 0x7fef69b0000 region_type = mapped_file name = "apphlpdm.dll" filename = "\\Windows\\System32\\Apphlpdm.dll" (normalized: "c:\\windows\\system32\\apphlpdm.dll") Region: id = 1425 start_va = 0x7fef69c0000 end_va = 0x7fef69d6fff entry_point = 0x7fef69c0000 region_type = mapped_file name = "portabledeviceconnectapi.dll" filename = "\\Windows\\System32\\PortableDeviceConnectApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceconnectapi.dll") Region: id = 1426 start_va = 0x7fef6b10000 end_va = 0x7fef6bccfff entry_point = 0x7fef6b10000 region_type = mapped_file name = "portabledeviceapi.dll" filename = "\\Windows\\System32\\PortableDeviceApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceapi.dll") Region: id = 1427 start_va = 0x7fef6bd0000 end_va = 0x7fef6bf0fff entry_point = 0x7fef6bd0000 region_type = mapped_file name = "wpdbusenum.dll" filename = "\\Windows\\System32\\wpdbusenum.dll" (normalized: "c:\\windows\\system32\\wpdbusenum.dll") Region: id = 1428 start_va = 0x7fef6df0000 end_va = 0x7fef6e5afff entry_point = 0x7fef6df0000 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 1429 start_va = 0x7fef7070000 end_va = 0x7fef7083fff entry_point = 0x7fef7070000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1430 start_va = 0x7fef72d0000 end_va = 0x7fef7353fff entry_point = 0x7fef72d0000 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 1431 start_va = 0x7fef7370000 end_va = 0x7fef737efff entry_point = 0x7fef7370000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1432 start_va = 0x7fef7380000 end_va = 0x7fef73a6fff entry_point = 0x7fef7380000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 1433 start_va = 0x7fef73b0000 end_va = 0x7fef7491fff entry_point = 0x7fef73b0000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1434 start_va = 0x7fef7690000 end_va = 0x7fef7715fff entry_point = 0x7fef7690000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1435 start_va = 0x7fef7760000 end_va = 0x7fef7781fff entry_point = 0x7fef7760000 region_type = mapped_file name = "trkwks.dll" filename = "\\Windows\\System32\\trkwks.dll" (normalized: "c:\\windows\\system32\\trkwks.dll") Region: id = 1436 start_va = 0x7fef7790000 end_va = 0x7fef793dfff entry_point = 0x7fef7790000 region_type = mapped_file name = "sysmain.dll" filename = "\\Windows\\System32\\sysmain.dll" (normalized: "c:\\windows\\system32\\sysmain.dll") Region: id = 1437 start_va = 0x7fef7b60000 end_va = 0x7fef7b78fff entry_point = 0x7fef7b60000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 1438 start_va = 0x7fef7b80000 end_va = 0x7fef7b8ffff entry_point = 0x7fef7b80000 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 1439 start_va = 0x7fef7b90000 end_va = 0x7fef7ba1fff entry_point = 0x7fef7b90000 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 1440 start_va = 0x7fef7bb0000 end_va = 0x7fef7be1fff entry_point = 0x7fef7bb0000 region_type = mapped_file name = "pcasvc.dll" filename = "\\Windows\\System32\\pcasvc.dll" (normalized: "c:\\windows\\system32\\pcasvc.dll") Region: id = 1441 start_va = 0x7fef8460000 end_va = 0x7fef84bbfff entry_point = 0x7fef8460000 region_type = mapped_file name = "netman.dll" filename = "\\Windows\\System32\\netman.dll" (normalized: "c:\\windows\\system32\\netman.dll") Region: id = 1442 start_va = 0x7fef8860000 end_va = 0x7fef88dbfff entry_point = 0x7fef8860000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 1443 start_va = 0x7fefa6c0000 end_va = 0x7fefa716fff entry_point = 0x7fefa6c0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 1444 start_va = 0x7fefae70000 end_va = 0x7fefae8bfff entry_point = 0x7fefae70000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 1445 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1446 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1447 start_va = 0x7fefb190000 end_va = 0x7fefb19ffff entry_point = 0x7fefb190000 region_type = mapped_file name = "uxsms.dll" filename = "\\Windows\\System32\\uxsms.dll" (normalized: "c:\\windows\\system32\\uxsms.dll") Region: id = 1448 start_va = 0x7fefb230000 end_va = 0x7fefb23afff entry_point = 0x7fefb230000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 1449 start_va = 0x7fefb240000 end_va = 0x7fefb24bfff entry_point = 0x7fefb240000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1450 start_va = 0x7fefb260000 end_va = 0x7fefb278fff entry_point = 0x7fefb260000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1451 start_va = 0x7fefb2c0000 end_va = 0x7fefb2fcfff entry_point = 0x7fefb2c0000 region_type = mapped_file name = "mstask.dll" filename = "\\Windows\\System32\\mstask.dll" (normalized: "c:\\windows\\system32\\mstask.dll") Region: id = 1452 start_va = 0x7fefb300000 end_va = 0x7fefb314fff entry_point = 0x7fefb300000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1453 start_va = 0x7fefb3f0000 end_va = 0x7fefb516fff entry_point = 0x7fefb3f0000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 1454 start_va = 0x7fefb520000 end_va = 0x7fefb54ffff entry_point = 0x7fefb520000 region_type = mapped_file name = "peerdist.dll" filename = "\\Windows\\System32\\PeerDist.dll" (normalized: "c:\\windows\\system32\\peerdist.dll") Region: id = 1455 start_va = 0x7fefb550000 end_va = 0x7fefb5fbfff entry_point = 0x7fefb550000 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 1456 start_va = 0x7fefb620000 end_va = 0x7fefb659fff entry_point = 0x7fefb620000 region_type = mapped_file name = "mprapi.dll" filename = "\\Windows\\System32\\mprapi.dll" (normalized: "c:\\windows\\system32\\mprapi.dll") Region: id = 1457 start_va = 0x7fefb740000 end_va = 0x7fefb750fff entry_point = 0x7fefb740000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 1458 start_va = 0x7fefba10000 end_va = 0x7fefba20fff entry_point = 0x7fefba10000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1459 start_va = 0x7fefbb70000 end_va = 0x7fefbba4fff entry_point = 0x7fefbb70000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1460 start_va = 0x7fefc040000 end_va = 0x7fefc233fff entry_point = 0x7fefc040000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 1461 start_va = 0x7fefc530000 end_va = 0x7fefc538fff entry_point = 0x7fefc530000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 1462 start_va = 0x7fefc540000 end_va = 0x7fefc66bfff entry_point = 0x7fefc540000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1463 start_va = 0x7fefc670000 end_va = 0x7fefc6bafff entry_point = 0x7fefc670000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 1464 start_va = 0x7fefc6c0000 end_va = 0x7fefc6ebfff entry_point = 0x7fefc6c0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1465 start_va = 0x7fefc6f0000 end_va = 0x7fefc79bfff entry_point = 0x7fefc6f0000 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 1466 start_va = 0x7fefc7a0000 end_va = 0x7fefc7ccfff entry_point = 0x7fefc7a0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1467 start_va = 0x7fefc970000 end_va = 0x7fefc97bfff entry_point = 0x7fefc970000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1468 start_va = 0x7fefcb30000 end_va = 0x7fefcb4afff entry_point = 0x7fefcb30000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1469 start_va = 0x7fefcb50000 end_va = 0x7fefcb6dfff entry_point = 0x7fefcb50000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1470 start_va = 0x7fefcb70000 end_va = 0x7fefcb81fff entry_point = 0x7fefcb70000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 1471 start_va = 0x7fefcca0000 end_va = 0x7fefcca9fff entry_point = 0x7fefcca0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1472 start_va = 0x7fefccb0000 end_va = 0x7fefccbcfff entry_point = 0x7fefccb0000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 1473 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1474 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1475 start_va = 0x7fefd290000 end_va = 0x7fefd2befff entry_point = 0x7fefd290000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1476 start_va = 0x7fefd2d0000 end_va = 0x7fefd33cfff entry_point = 0x7fefd2d0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1477 start_va = 0x7fefd640000 end_va = 0x7fefd64afff entry_point = 0x7fefd640000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1478 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1479 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1480 start_va = 0x7fefd750000 end_va = 0x7fefd78cfff entry_point = 0x7fefd750000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1481 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1482 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff entry_point = 0x7fefd7b0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1483 start_va = 0x7fefd850000 end_va = 0x7fefd85efff entry_point = 0x7fefd850000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1484 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1485 start_va = 0x7fefd970000 end_va = 0x7fefd989fff entry_point = 0x7fefd970000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1486 start_va = 0x7fefd990000 end_va = 0x7fefdaf6fff entry_point = 0x7fefd990000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1487 start_va = 0x7fefdb00000 end_va = 0x7fefdb35fff entry_point = 0x7fefdb00000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1488 start_va = 0x7fefdb40000 end_va = 0x7fefdb79fff entry_point = 0x7fefdb40000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1489 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1490 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1491 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1492 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1493 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1494 start_va = 0x7fefdf00000 end_va = 0x7fefec87fff entry_point = 0x7fefdf00000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1495 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1496 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1497 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1498 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1499 start_va = 0x7feff300000 end_va = 0x7feff4d6fff entry_point = 0x7feff300000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1500 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1501 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1502 start_va = 0x7feff600000 end_va = 0x7feff651fff entry_point = 0x7feff600000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1503 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1504 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1505 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1506 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1507 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1508 start_va = 0x7fffff88000 end_va = 0x7fffff89fff entry_point = 0x0 region_type = private name = "private_0x000007fffff88000" filename = "" Region: id = 1509 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 1510 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 1511 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 1512 start_va = 0x7fffff90000 end_va = 0x7fffff91fff entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 1513 start_va = 0x7fffff92000 end_va = 0x7fffff93fff entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 1514 start_va = 0x7fffff94000 end_va = 0x7fffff95fff entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 1515 start_va = 0x7fffff96000 end_va = 0x7fffff97fff entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 1516 start_va = 0x7fffff98000 end_va = 0x7fffff99fff entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 1517 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 1518 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 1519 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 1520 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 1521 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 1522 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 1523 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 1524 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 1525 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 1526 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 1527 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1528 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 1529 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 1530 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 1531 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1532 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 1533 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 136 os_tid = 0x734 Thread: id = 137 os_tid = 0x274 Thread: id = 138 os_tid = 0x5a8 Thread: id = 139 os_tid = 0x784 Thread: id = 140 os_tid = 0x764 Thread: id = 141 os_tid = 0x760 Thread: id = 142 os_tid = 0x650 Thread: id = 143 os_tid = 0x640 Thread: id = 144 os_tid = 0x15c Thread: id = 145 os_tid = 0x120 Thread: id = 146 os_tid = 0x3f4 Thread: id = 147 os_tid = 0x3f0 Thread: id = 148 os_tid = 0x3e8 Thread: id = 149 os_tid = 0x3e4 Thread: id = 150 os_tid = 0x3d4 Thread: id = 151 os_tid = 0x3d0 Thread: id = 152 os_tid = 0x39c Thread: id = 153 os_tid = 0x398 Thread: id = 154 os_tid = 0x388 Thread: id = 155 os_tid = 0x378 Thread: id = 156 os_tid = 0x338 Thread: id = 157 os_tid = 0x330 Thread: id = 158 os_tid = 0x318 Thread: id = 159 os_tid = 0x314 Thread: id = 430 os_tid = 0x7c0 Thread: id = 453 os_tid = 0x8ec Process: id = "10" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x2af81000" os_pid = "0x350" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x1d4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000bd1a" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 475 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 476 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 477 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 478 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 479 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 480 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 481 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 482 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 483 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 484 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 485 start_va = 0x1f0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 486 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 487 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 488 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 489 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 490 start_va = 0x240000 end_va = 0x241fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 491 start_va = 0x250000 end_va = 0x253fff entry_point = 0x250000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 492 start_va = 0x260000 end_va = 0x261fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 493 start_va = 0x270000 end_va = 0x273fff entry_point = 0x270000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 494 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 495 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 496 start_va = 0x480000 end_va = 0x607fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 497 start_va = 0x610000 end_va = 0x790fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 498 start_va = 0x7a0000 end_va = 0x85ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 499 start_va = 0x860000 end_va = 0xc52fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 500 start_va = 0xc60000 end_va = 0xc8ffff entry_point = 0xc60000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db") Region: id = 501 start_va = 0xc90000 end_va = 0xc9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 502 start_va = 0xca0000 end_va = 0xd1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 503 start_va = 0xd20000 end_va = 0xd9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d20000" filename = "" Region: id = 504 start_va = 0xda0000 end_va = 0xda0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000da0000" filename = "" Region: id = 505 start_va = 0xdb0000 end_va = 0xe2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 506 start_va = 0xe30000 end_va = 0xe30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e30000" filename = "" Region: id = 507 start_va = 0xe40000 end_va = 0xe4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 508 start_va = 0xe50000 end_va = 0xecffff entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 509 start_va = 0xed0000 end_va = 0xedffff entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 510 start_va = 0xee0000 end_va = 0xf5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 511 start_va = 0xf60000 end_va = 0x122efff entry_point = 0xf60000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 512 start_va = 0x1230000 end_va = 0x124bfff entry_point = 0x1230000 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 513 start_va = 0x1290000 end_va = 0x130ffff entry_point = 0x0 region_type = private name = "private_0x0000000001290000" filename = "" Region: id = 514 start_va = 0x1320000 end_va = 0x139ffff entry_point = 0x0 region_type = private name = "private_0x0000000001320000" filename = "" Region: id = 515 start_va = 0x13a0000 end_va = 0x141ffff entry_point = 0x0 region_type = private name = "private_0x00000000013a0000" filename = "" Region: id = 516 start_va = 0x1460000 end_va = 0x14dffff entry_point = 0x0 region_type = private name = "private_0x0000000001460000" filename = "" Region: id = 517 start_va = 0x1530000 end_va = 0x15affff entry_point = 0x0 region_type = private name = "private_0x0000000001530000" filename = "" Region: id = 518 start_va = 0x15b0000 end_va = 0x1615fff entry_point = 0x15b0000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 519 start_va = 0x1620000 end_va = 0x169ffff entry_point = 0x0 region_type = private name = "private_0x0000000001620000" filename = "" Region: id = 520 start_va = 0x1710000 end_va = 0x178ffff entry_point = 0x0 region_type = private name = "private_0x0000000001710000" filename = "" Region: id = 521 start_va = 0x17b0000 end_va = 0x182ffff entry_point = 0x0 region_type = private name = "private_0x00000000017b0000" filename = "" Region: id = 522 start_va = 0x1830000 end_va = 0x18affff entry_point = 0x0 region_type = private name = "private_0x0000000001830000" filename = "" Region: id = 523 start_va = 0x18d0000 end_va = 0x194ffff entry_point = 0x0 region_type = private name = "private_0x00000000018d0000" filename = "" Region: id = 524 start_va = 0x1950000 end_va = 0x19cffff entry_point = 0x0 region_type = private name = "private_0x0000000001950000" filename = "" Region: id = 525 start_va = 0x1a00000 end_va = 0x1a7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 526 start_va = 0x1aa0000 end_va = 0x1b1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001aa0000" filename = "" Region: id = 527 start_va = 0x1b80000 end_va = 0x1bfffff entry_point = 0x0 region_type = private name = "private_0x0000000001b80000" filename = "" Region: id = 528 start_va = 0x1c30000 end_va = 0x1caffff entry_point = 0x0 region_type = private name = "private_0x0000000001c30000" filename = "" Region: id = 529 start_va = 0x1cd0000 end_va = 0x1d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 530 start_va = 0x1d90000 end_va = 0x1e0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d90000" filename = "" Region: id = 531 start_va = 0x1e10000 end_va = 0x1f0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e10000" filename = "" Region: id = 532 start_va = 0x1f30000 end_va = 0x1faffff entry_point = 0x0 region_type = private name = "private_0x0000000001f30000" filename = "" Region: id = 533 start_va = 0x1fb0000 end_va = 0x22f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001fb0000" filename = "" Region: id = 534 start_va = 0x2310000 end_va = 0x238ffff entry_point = 0x0 region_type = private name = "private_0x0000000002310000" filename = "" Region: id = 535 start_va = 0x23b0000 end_va = 0x242ffff entry_point = 0x0 region_type = private name = "private_0x00000000023b0000" filename = "" Region: id = 536 start_va = 0x2430000 end_va = 0x24affff entry_point = 0x0 region_type = private name = "private_0x0000000002430000" filename = "" Region: id = 537 start_va = 0x24d0000 end_va = 0x254ffff entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Region: id = 538 start_va = 0x2550000 end_va = 0x25cffff entry_point = 0x0 region_type = private name = "private_0x0000000002550000" filename = "" Region: id = 539 start_va = 0x25d0000 end_va = 0x264ffff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 540 start_va = 0x2670000 end_va = 0x26effff entry_point = 0x0 region_type = private name = "private_0x0000000002670000" filename = "" Region: id = 541 start_va = 0x27b0000 end_va = 0x282ffff entry_point = 0x0 region_type = private name = "private_0x00000000027b0000" filename = "" Region: id = 542 start_va = 0x29b0000 end_va = 0x2a2ffff entry_point = 0x0 region_type = private name = "private_0x00000000029b0000" filename = "" Region: id = 543 start_va = 0x2a80000 end_va = 0x2afffff entry_point = 0x0 region_type = private name = "private_0x0000000002a80000" filename = "" Region: id = 544 start_va = 0x2bd0000 end_va = 0x2c4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002bd0000" filename = "" Region: id = 545 start_va = 0x2cd0000 end_va = 0x2dcffff entry_point = 0x0 region_type = private name = "private_0x0000000002cd0000" filename = "" Region: id = 546 start_va = 0x2e30000 end_va = 0x2e3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e30000" filename = "" Region: id = 547 start_va = 0x2e40000 end_va = 0x2f3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 548 start_va = 0x2f40000 end_va = 0x303ffff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 549 start_va = 0x31a0000 end_va = 0x321ffff entry_point = 0x0 region_type = private name = "private_0x00000000031a0000" filename = "" Region: id = 550 start_va = 0x3300000 end_va = 0x337ffff entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 551 start_va = 0x3470000 end_va = 0x34effff entry_point = 0x0 region_type = private name = "private_0x0000000003470000" filename = "" Region: id = 552 start_va = 0x34f0000 end_va = 0x356ffff entry_point = 0x0 region_type = private name = "private_0x00000000034f0000" filename = "" Region: id = 553 start_va = 0x35a0000 end_va = 0x361ffff entry_point = 0x0 region_type = private name = "private_0x00000000035a0000" filename = "" Region: id = 554 start_va = 0x3670000 end_va = 0x36effff entry_point = 0x0 region_type = private name = "private_0x0000000003670000" filename = "" Region: id = 555 start_va = 0x36f0000 end_va = 0x37effff entry_point = 0x0 region_type = private name = "private_0x00000000036f0000" filename = "" Region: id = 556 start_va = 0x37f0000 end_va = 0x38effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000037f0000" filename = "" Region: id = 557 start_va = 0x38f0000 end_va = 0x396ffff entry_point = 0x0 region_type = private name = "private_0x00000000038f0000" filename = "" Region: id = 558 start_va = 0x3980000 end_va = 0x39fffff entry_point = 0x0 region_type = private name = "private_0x0000000003980000" filename = "" Region: id = 559 start_va = 0x3a30000 end_va = 0x3aaffff entry_point = 0x0 region_type = private name = "private_0x0000000003a30000" filename = "" Region: id = 560 start_va = 0x3b60000 end_va = 0x3bdffff entry_point = 0x0 region_type = private name = "private_0x0000000003b60000" filename = "" Region: id = 561 start_va = 0x3c00000 end_va = 0x3c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 562 start_va = 0x3c80000 end_va = 0x3e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000003c80000" filename = "" Region: id = 563 start_va = 0x3f00000 end_va = 0x3f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000003f00000" filename = "" Region: id = 564 start_va = 0x4130000 end_va = 0x41affff entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 565 start_va = 0x41e0000 end_va = 0x425ffff entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 566 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 567 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 568 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 569 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 570 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 571 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 572 start_va = 0xfff20000 end_va = 0xfff2afff entry_point = 0xfff20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 573 start_va = 0x7fef4a40000 end_va = 0x7fef4a81fff entry_point = 0x7fef4a40000 region_type = mapped_file name = "tcpipcfg.dll" filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll") Region: id = 574 start_va = 0x7fef4a90000 end_va = 0x7fef4aa9fff entry_point = 0x7fef4a90000 region_type = mapped_file name = "rascfg.dll" filename = "\\Windows\\System32\\rascfg.dll" (normalized: "c:\\windows\\system32\\rascfg.dll") Region: id = 575 start_va = 0x7fef69e0000 end_va = 0x7fef69ebfff entry_point = 0x7fef69e0000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 576 start_va = 0x7fef6d60000 end_va = 0x7fef6d67fff entry_point = 0x7fef6d60000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 577 start_va = 0x7fef6d70000 end_va = 0x7fef6de3fff entry_point = 0x7fef6d70000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 578 start_va = 0x7fef6df0000 end_va = 0x7fef6e5afff entry_point = 0x7fef6df0000 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 579 start_va = 0x7fef6e60000 end_va = 0x7fef6eddfff entry_point = 0x7fef6e60000 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 580 start_va = 0x7fef6ee0000 end_va = 0x7fef6ef5fff entry_point = 0x7fef6ee0000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 581 start_va = 0x7fef6f00000 end_va = 0x7fef6fbbfff entry_point = 0x7fef6f00000 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 582 start_va = 0x7fef6fc0000 end_va = 0x7fef7032fff entry_point = 0x7fef6fc0000 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 583 start_va = 0x7fef7040000 end_va = 0x7fef7065fff entry_point = 0x7fef7040000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 584 start_va = 0x7fef7070000 end_va = 0x7fef7083fff entry_point = 0x7fef7070000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 585 start_va = 0x7fef7090000 end_va = 0x7fef70fefff entry_point = 0x7fef7090000 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 586 start_va = 0x7fef7100000 end_va = 0x7fef722efff entry_point = 0x7fef7100000 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 587 start_va = 0x7fef7230000 end_va = 0x7fef7248fff entry_point = 0x7fef7230000 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 588 start_va = 0x7fef7250000 end_va = 0x7fef729ffff entry_point = 0x7fef7250000 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 589 start_va = 0x7fef72a0000 end_va = 0x7fef72a7fff entry_point = 0x7fef72a0000 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 590 start_va = 0x7fef72b0000 end_va = 0x7fef72c9fff entry_point = 0x7fef72b0000 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 591 start_va = 0x7fef72d0000 end_va = 0x7fef7353fff entry_point = 0x7fef72d0000 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 592 start_va = 0x7fef7360000 end_va = 0x7fef7368fff entry_point = 0x7fef7360000 region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 593 start_va = 0x7fef7370000 end_va = 0x7fef737efff entry_point = 0x7fef7370000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 594 start_va = 0x7fef7380000 end_va = 0x7fef73a6fff entry_point = 0x7fef7380000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 595 start_va = 0x7fef73b0000 end_va = 0x7fef7491fff entry_point = 0x7fef73b0000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 596 start_va = 0x7fef74e0000 end_va = 0x7fef7504fff entry_point = 0x7fef74e0000 region_type = mapped_file name = "browser.dll" filename = "\\Windows\\System32\\browser.dll" (normalized: "c:\\windows\\system32\\browser.dll") Region: id = 597 start_va = 0x7fef7510000 end_va = 0x7fef754cfff entry_point = 0x7fef7510000 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 598 start_va = 0x7fef7550000 end_va = 0x7fef7596fff entry_point = 0x7fef7550000 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 599 start_va = 0x7fef75a0000 end_va = 0x7fef75e1fff entry_point = 0x7fef75a0000 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 600 start_va = 0x7fef75f0000 end_va = 0x7fef7681fff entry_point = 0x7fef75f0000 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 601 start_va = 0x7fef7690000 end_va = 0x7fef7715fff entry_point = 0x7fef7690000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 602 start_va = 0x7fef7720000 end_va = 0x7fef775ffff entry_point = 0x7fef7720000 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 603 start_va = 0x7fef7e80000 end_va = 0x7fef7e96fff entry_point = 0x7fef7e80000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 604 start_va = 0x7fef7ea0000 end_va = 0x7fef804ffff entry_point = 0x7fef7ea0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 605 start_va = 0x7fef8c40000 end_va = 0x7fef8d2dfff entry_point = 0x7fef8c40000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 606 start_va = 0x7fef9080000 end_va = 0x7fef9094fff entry_point = 0x7fef9080000 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 607 start_va = 0x7fefa720000 end_va = 0x7fefa796fff entry_point = 0x7fefa720000 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 608 start_va = 0x7fefacb0000 end_va = 0x7fefacb9fff entry_point = 0x7fefacb0000 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 609 start_va = 0x7fefacc0000 end_va = 0x7fefadd1fff entry_point = 0x7fefacc0000 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 610 start_va = 0x7fefade0000 end_va = 0x7fefadeefff entry_point = 0x7fefade0000 region_type = mapped_file name = "wiarpc.dll" filename = "\\Windows\\System32\\wiarpc.dll" (normalized: "c:\\windows\\system32\\wiarpc.dll") Region: id = 611 start_va = 0x7fefadf0000 end_va = 0x7fefadf8fff entry_point = 0x7fefadf0000 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 612 start_va = 0x7fefae00000 end_va = 0x7fefae08fff entry_point = 0x7fefae00000 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 613 start_va = 0x7fefae10000 end_va = 0x7fefae65fff entry_point = 0x7fefae10000 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 614 start_va = 0x7fefae90000 end_va = 0x7fefaeedfff entry_point = 0x7fefae90000 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 615 start_va = 0x7fefaef0000 end_va = 0x7fefaf07fff entry_point = 0x7fefaef0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 616 start_va = 0x7fefaf10000 end_va = 0x7fefaf20fff entry_point = 0x7fefaf10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 617 start_va = 0x7fefafe0000 end_va = 0x7fefb032fff entry_point = 0x7fefafe0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 618 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 619 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 620 start_va = 0x7fefb1a0000 end_va = 0x7fefb1b3fff entry_point = 0x7fefb1a0000 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 621 start_va = 0x7fefb1c0000 end_va = 0x7fefb226fff entry_point = 0x7fefb1c0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 622 start_va = 0x7fefb230000 end_va = 0x7fefb23afff entry_point = 0x7fefb230000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 623 start_va = 0x7fefb240000 end_va = 0x7fefb24bfff entry_point = 0x7fefb240000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 624 start_va = 0x7fefb250000 end_va = 0x7fefb25ffff entry_point = 0x7fefb250000 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 625 start_va = 0x7fefb260000 end_va = 0x7fefb278fff entry_point = 0x7fefb260000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 626 start_va = 0x7fefb280000 end_va = 0x7fefb2b6fff entry_point = 0x7fefb280000 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 627 start_va = 0x7fefb300000 end_va = 0x7fefb314fff entry_point = 0x7fefb300000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 628 start_va = 0x7fefb320000 end_va = 0x7fefb3e1fff entry_point = 0x7fefb320000 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 629 start_va = 0x7fefb600000 end_va = 0x7fefb61cfff entry_point = 0x7fefb600000 region_type = mapped_file name = "mmcss.dll" filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll") Region: id = 630 start_va = 0x7fefb620000 end_va = 0x7fefb659fff entry_point = 0x7fefb620000 region_type = mapped_file name = "mprapi.dll" filename = "\\Windows\\System32\\mprapi.dll" (normalized: "c:\\windows\\system32\\mprapi.dll") Region: id = 631 start_va = 0x7fefb740000 end_va = 0x7fefb750fff entry_point = 0x7fefb740000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 632 start_va = 0x7fefb890000 end_va = 0x7fefb8a3fff entry_point = 0x7fefb890000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 633 start_va = 0x7fefb8b0000 end_va = 0x7fefb8c4fff entry_point = 0x7fefb8b0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 634 start_va = 0x7fefb8d0000 end_va = 0x7fefb8dbfff entry_point = 0x7fefb8d0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 635 start_va = 0x7fefb8e0000 end_va = 0x7fefb8f5fff entry_point = 0x7fefb8e0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 636 start_va = 0x7fefb9d0000 end_va = 0x7fefb9defff entry_point = 0x7fefb9d0000 region_type = mapped_file name = "ndiscapcfg.dll" filename = "\\Windows\\System32\\ndiscapCfg.dll" (normalized: "c:\\windows\\system32\\ndiscapcfg.dll") Region: id = 637 start_va = 0x7fefba10000 end_va = 0x7fefba20fff entry_point = 0x7fefba10000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 638 start_va = 0x7fefbb70000 end_va = 0x7fefbba4fff entry_point = 0x7fefbb70000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 639 start_va = 0x7fefbf90000 end_va = 0x7fefbfe5fff entry_point = 0x7fefbf90000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 640 start_va = 0x7fefbff0000 end_va = 0x7fefc00cfff entry_point = 0x7fefbff0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 641 start_va = 0x7fefc040000 end_va = 0x7fefc233fff entry_point = 0x7fefc040000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 642 start_va = 0x7fefc530000 end_va = 0x7fefc538fff entry_point = 0x7fefc530000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 643 start_va = 0x7fefc540000 end_va = 0x7fefc66bfff entry_point = 0x7fefc540000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 644 start_va = 0x7fefc7a0000 end_va = 0x7fefc7ccfff entry_point = 0x7fefc7a0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 645 start_va = 0x7fefc970000 end_va = 0x7fefc97bfff entry_point = 0x7fefc970000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 646 start_va = 0x7fefc980000 end_va = 0x7fefca3afff entry_point = 0x7fefc980000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 647 start_va = 0x7fefca40000 end_va = 0x7fefca46fff entry_point = 0x7fefca40000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 648 start_va = 0x7fefcb30000 end_va = 0x7fefcb4afff entry_point = 0x7fefcb30000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 649 start_va = 0x7fefcb50000 end_va = 0x7fefcb6dfff entry_point = 0x7fefcb50000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 650 start_va = 0x7fefcb70000 end_va = 0x7fefcb81fff entry_point = 0x7fefcb70000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 651 start_va = 0x7fefcb90000 end_va = 0x7fefcbaefff entry_point = 0x7fefcb90000 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 652 start_va = 0x7fefcc60000 end_va = 0x7fefcc98fff entry_point = 0x7fefcc60000 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 653 start_va = 0x7fefcca0000 end_va = 0x7fefcca9fff entry_point = 0x7fefcca0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 654 start_va = 0x7fefccb0000 end_va = 0x7fefccbcfff entry_point = 0x7fefccb0000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 655 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 656 start_va = 0x7fefce90000 end_va = 0x7fefcebffff entry_point = 0x7fefce90000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 657 start_va = 0x7fefcec0000 end_va = 0x7fefcf1afff entry_point = 0x7fefcec0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 658 start_va = 0x7fefd030000 end_va = 0x7fefd036fff entry_point = 0x7fefd030000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 659 start_va = 0x7fefd040000 end_va = 0x7fefd094fff entry_point = 0x7fefd040000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 660 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 661 start_va = 0x7fefd1b0000 end_va = 0x7fefd1e1fff entry_point = 0x7fefd1b0000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 662 start_va = 0x7fefd200000 end_va = 0x7fefd209fff entry_point = 0x7fefd200000 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 663 start_va = 0x7fefd290000 end_va = 0x7fefd2befff entry_point = 0x7fefd290000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 664 start_va = 0x7fefd2d0000 end_va = 0x7fefd33cfff entry_point = 0x7fefd2d0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 665 start_va = 0x7fefd340000 end_va = 0x7fefd353fff entry_point = 0x7fefd340000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 666 start_va = 0x7fefd5a0000 end_va = 0x7fefd5c2fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 667 start_va = 0x7fefd640000 end_va = 0x7fefd64afff entry_point = 0x7fefd640000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 668 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 669 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 670 start_va = 0x7fefd6b0000 end_va = 0x7fefd740fff entry_point = 0x7fefd6b0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 671 start_va = 0x7fefd750000 end_va = 0x7fefd78cfff entry_point = 0x7fefd750000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 672 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 673 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff entry_point = 0x7fefd7b0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 674 start_va = 0x7fefd850000 end_va = 0x7fefd85efff entry_point = 0x7fefd850000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 675 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 676 start_va = 0x7fefd970000 end_va = 0x7fefd989fff entry_point = 0x7fefd970000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 677 start_va = 0x7fefd990000 end_va = 0x7fefdaf6fff entry_point = 0x7fefd990000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 678 start_va = 0x7fefdb00000 end_va = 0x7fefdb35fff entry_point = 0x7fefdb00000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 679 start_va = 0x7fefdb40000 end_va = 0x7fefdb79fff entry_point = 0x7fefdb40000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 680 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 681 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 682 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 683 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 684 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 685 start_va = 0x7fefdf00000 end_va = 0x7fefec87fff entry_point = 0x7fefdf00000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 686 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 687 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 688 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 689 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 690 start_va = 0x7feff300000 end_va = 0x7feff4d6fff entry_point = 0x7feff300000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 691 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 692 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 693 start_va = 0x7feff600000 end_va = 0x7feff651fff entry_point = 0x7feff600000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 694 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 695 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 696 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 697 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 698 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 699 start_va = 0x7fffff62000 end_va = 0x7fffff63fff entry_point = 0x0 region_type = private name = "private_0x000007fffff62000" filename = "" Region: id = 700 start_va = 0x7fffff64000 end_va = 0x7fffff65fff entry_point = 0x0 region_type = private name = "private_0x000007fffff64000" filename = "" Region: id = 701 start_va = 0x7fffff66000 end_va = 0x7fffff67fff entry_point = 0x0 region_type = private name = "private_0x000007fffff66000" filename = "" Region: id = 702 start_va = 0x7fffff68000 end_va = 0x7fffff69fff entry_point = 0x0 region_type = private name = "private_0x000007fffff68000" filename = "" Region: id = 703 start_va = 0x7fffff6a000 end_va = 0x7fffff6bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff6a000" filename = "" Region: id = 704 start_va = 0x7fffff6c000 end_va = 0x7fffff6dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff6c000" filename = "" Region: id = 705 start_va = 0x7fffff6e000 end_va = 0x7fffff6ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff6e000" filename = "" Region: id = 706 start_va = 0x7fffff72000 end_va = 0x7fffff73fff entry_point = 0x0 region_type = private name = "private_0x000007fffff72000" filename = "" Region: id = 707 start_va = 0x7fffff74000 end_va = 0x7fffff75fff entry_point = 0x0 region_type = private name = "private_0x000007fffff74000" filename = "" Region: id = 708 start_va = 0x7fffff76000 end_va = 0x7fffff77fff entry_point = 0x0 region_type = private name = "private_0x000007fffff76000" filename = "" Region: id = 709 start_va = 0x7fffff78000 end_va = 0x7fffff79fff entry_point = 0x0 region_type = private name = "private_0x000007fffff78000" filename = "" Region: id = 710 start_va = 0x7fffff7c000 end_va = 0x7fffff7dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7c000" filename = "" Region: id = 711 start_va = 0x7fffff7e000 end_va = 0x7fffff7ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff7e000" filename = "" Region: id = 712 start_va = 0x7fffff80000 end_va = 0x7fffff81fff entry_point = 0x0 region_type = private name = "private_0x000007fffff80000" filename = "" Region: id = 713 start_va = 0x7fffff86000 end_va = 0x7fffff87fff entry_point = 0x0 region_type = private name = "private_0x000007fffff86000" filename = "" Region: id = 714 start_va = 0x7fffff88000 end_va = 0x7fffff89fff entry_point = 0x0 region_type = private name = "private_0x000007fffff88000" filename = "" Region: id = 715 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 716 start_va = 0x7fffff90000 end_va = 0x7fffff91fff entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 717 start_va = 0x7fffff92000 end_va = 0x7fffff93fff entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 718 start_va = 0x7fffff94000 end_va = 0x7fffff95fff entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 719 start_va = 0x7fffff96000 end_va = 0x7fffff97fff entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 720 start_va = 0x7fffff98000 end_va = 0x7fffff99fff entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 721 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 722 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 723 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 724 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 725 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 726 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 727 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 728 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 729 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 730 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 731 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 732 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 733 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 734 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 735 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 736 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 737 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 738 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2886 start_va = 0x1250000 end_va = 0x1250fff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 2887 start_va = 0x2730000 end_va = 0x27affff entry_point = 0x0 region_type = private name = "private_0x0000000002730000" filename = "" Region: id = 2888 start_va = 0x2840000 end_va = 0x28bffff entry_point = 0x0 region_type = private name = "private_0x0000000002840000" filename = "" Region: id = 2889 start_va = 0x28e0000 end_va = 0x295ffff entry_point = 0x0 region_type = private name = "private_0x00000000028e0000" filename = "" Region: id = 2890 start_va = 0x2b00000 end_va = 0x2b7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 2891 start_va = 0x2c50000 end_va = 0x2ccffff entry_point = 0x0 region_type = private name = "private_0x0000000002c50000" filename = "" Region: id = 2892 start_va = 0x3070000 end_va = 0x30effff entry_point = 0x0 region_type = private name = "private_0x0000000003070000" filename = "" Region: id = 2893 start_va = 0x3120000 end_va = 0x319ffff entry_point = 0x0 region_type = private name = "private_0x0000000003120000" filename = "" Region: id = 2894 start_va = 0x3fc0000 end_va = 0x403ffff entry_point = 0x0 region_type = private name = "private_0x0000000003fc0000" filename = "" Region: id = 2895 start_va = 0x4260000 end_va = 0x435ffff entry_point = 0x0 region_type = private name = "private_0x0000000004260000" filename = "" Region: id = 2896 start_va = 0x4360000 end_va = 0x455ffff entry_point = 0x0 region_type = private name = "private_0x0000000004360000" filename = "" Region: id = 2897 start_va = 0x7fef4bd0000 end_va = 0x7fef4be5fff entry_point = 0x7fef4bd0000 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 2898 start_va = 0x7fffff60000 end_va = 0x7fffff61fff entry_point = 0x0 region_type = private name = "private_0x000007fffff60000" filename = "" Region: id = 2899 start_va = 0x7fffff70000 end_va = 0x7fffff71fff entry_point = 0x0 region_type = private name = "private_0x000007fffff70000" filename = "" Region: id = 2900 start_va = 0x7fffff7a000 end_va = 0x7fffff7bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7a000" filename = "" Region: id = 2901 start_va = 0x7fffff82000 end_va = 0x7fffff83fff entry_point = 0x0 region_type = private name = "private_0x000007fffff82000" filename = "" Region: id = 2902 start_va = 0x7fffff84000 end_va = 0x7fffff85fff entry_point = 0x0 region_type = private name = "private_0x000007fffff84000" filename = "" Region: id = 2903 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 2904 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 3399 start_va = 0x2890000 end_va = 0x290ffff entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 3400 start_va = 0x3240000 end_va = 0x32bffff entry_point = 0x0 region_type = private name = "private_0x0000000003240000" filename = "" Region: id = 3401 start_va = 0x3a40000 end_va = 0x3abffff entry_point = 0x0 region_type = private name = "private_0x0000000003a40000" filename = "" Region: id = 3402 start_va = 0x4060000 end_va = 0x40dffff entry_point = 0x0 region_type = private name = "private_0x0000000004060000" filename = "" Region: id = 3403 start_va = 0x7fefc020000 end_va = 0x7fefc034fff entry_point = 0x7fefc020000 region_type = mapped_file name = "aelupsvc.dll" filename = "\\Windows\\System32\\aelupsvc.dll" (normalized: "c:\\windows\\system32\\aelupsvc.dll") Region: id = 3404 start_va = 0x7fffff5a000 end_va = 0x7fffff5bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff5a000" filename = "" Region: id = 3405 start_va = 0x7fffff5c000 end_va = 0x7fffff5dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff5c000" filename = "" Region: id = 3406 start_va = 0x7fffff5e000 end_va = 0x7fffff5ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff5e000" filename = "" Region: id = 3407 start_va = 0x1b40000 end_va = 0x1b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b40000" filename = "" Region: id = 3408 start_va = 0x2720000 end_va = 0x279ffff entry_point = 0x0 region_type = private name = "private_0x0000000002720000" filename = "" Region: id = 3409 start_va = 0x2970000 end_va = 0x29effff entry_point = 0x0 region_type = private name = "private_0x0000000002970000" filename = "" Region: id = 3410 start_va = 0x3040000 end_va = 0x313ffff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 3411 start_va = 0x7fef62d0000 end_va = 0x7fef630efff entry_point = 0x7fef62d0000 region_type = mapped_file name = "cscobj.dll" filename = "\\Windows\\System32\\cscobj.dll" (normalized: "c:\\windows\\system32\\cscobj.dll") Region: id = 3412 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 3413 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Thread: id = 160 os_tid = 0x724 Thread: id = 161 os_tid = 0x5c4 Thread: id = 162 os_tid = 0x150 Thread: id = 163 os_tid = 0x404 Thread: id = 164 os_tid = 0x43c Thread: id = 165 os_tid = 0x174 Thread: id = 166 os_tid = 0x7b8 Thread: id = 167 os_tid = 0x7b4 Thread: id = 168 os_tid = 0x7b0 Thread: id = 169 os_tid = 0x748 Thread: id = 170 os_tid = 0x714 Thread: id = 171 os_tid = 0x704 Thread: id = 172 os_tid = 0x700 Thread: id = 173 os_tid = 0x6e0 Thread: id = 174 os_tid = 0x6cc Thread: id = 175 os_tid = 0x6c4 Thread: id = 176 os_tid = 0x68c Thread: id = 177 os_tid = 0x688 Thread: id = 178 os_tid = 0x670 Thread: id = 179 os_tid = 0x65c Thread: id = 180 os_tid = 0x4c4 Thread: id = 181 os_tid = 0x47c Thread: id = 182 os_tid = 0x478 Thread: id = 183 os_tid = 0x438 Thread: id = 184 os_tid = 0x430 Thread: id = 185 os_tid = 0x42c Thread: id = 186 os_tid = 0x420 Thread: id = 187 os_tid = 0x14c Thread: id = 188 os_tid = 0x3a8 Thread: id = 189 os_tid = 0xc8 Thread: id = 190 os_tid = 0x3f8 Thread: id = 191 os_tid = 0x3ec Thread: id = 192 os_tid = 0x3a0 Thread: id = 193 os_tid = 0x394 Thread: id = 194 os_tid = 0x390 Thread: id = 195 os_tid = 0x38c Thread: id = 196 os_tid = 0x36c Thread: id = 197 os_tid = 0x354 Thread: id = 343 os_tid = 0xb74 Thread: id = 344 os_tid = 0xb78 Thread: id = 345 os_tid = 0xb7c Thread: id = 346 os_tid = 0xb80 Thread: id = 347 os_tid = 0xb84 Thread: id = 348 os_tid = 0xb88 Thread: id = 349 os_tid = 0xb8c Thread: id = 351 os_tid = 0xb94 Thread: id = 352 os_tid = 0xb98 Thread: id = 353 os_tid = 0xb9c Thread: id = 354 os_tid = 0xba0 Thread: id = 411 os_tid = 0x44c Thread: id = 412 os_tid = 0x358 Thread: id = 413 os_tid = 0x790 Thread: id = 424 os_tid = 0x444 Thread: id = 426 os_tid = 0x5a0 Process: id = "11" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x18692000" os_pid = "0xf0" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x1d4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ddc8" [0xc000000f], "LOCAL" [0x7] Region: id = 1536 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1537 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1538 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1539 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1540 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1541 start_va = 0xc0000 end_va = 0x17ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1542 start_va = 0x180000 end_va = 0x181fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 1543 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1544 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1545 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 1546 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1547 start_va = 0x240000 end_va = 0x250fff entry_point = 0x240000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1548 start_va = 0x260000 end_va = 0x263fff entry_point = 0x260000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 1549 start_va = 0x270000 end_va = 0x271fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 1550 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 1551 start_va = 0x380000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 1552 start_va = 0x480000 end_va = 0x480fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1553 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 1554 start_va = 0x4a0000 end_va = 0x627fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 1555 start_va = 0x630000 end_va = 0x7b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 1556 start_va = 0x7c0000 end_va = 0xbb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 1557 start_va = 0xc20000 end_va = 0xc9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c20000" filename = "" Region: id = 1558 start_va = 0xd00000 end_va = 0xd7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 1559 start_va = 0xe70000 end_va = 0xeeffff entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 1560 start_va = 0xef0000 end_va = 0xf6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 1561 start_va = 0xf70000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 1562 start_va = 0x1080000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 1563 start_va = 0x10a0000 end_va = 0x136efff entry_point = 0x10a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1564 start_va = 0x1370000 end_va = 0x146ffff entry_point = 0x0 region_type = private name = "private_0x0000000001370000" filename = "" Region: id = 1565 start_va = 0x1470000 end_va = 0x156ffff entry_point = 0x0 region_type = private name = "private_0x0000000001470000" filename = "" Region: id = 1566 start_va = 0x1600000 end_va = 0x167ffff entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 1567 start_va = 0x16b0000 end_va = 0x172ffff entry_point = 0x0 region_type = private name = "private_0x00000000016b0000" filename = "" Region: id = 1568 start_va = 0x1790000 end_va = 0x180ffff entry_point = 0x0 region_type = private name = "private_0x0000000001790000" filename = "" Region: id = 1569 start_va = 0x1870000 end_va = 0x18effff entry_point = 0x0 region_type = private name = "private_0x0000000001870000" filename = "" Region: id = 1570 start_va = 0x1930000 end_va = 0x193ffff entry_point = 0x0 region_type = private name = "private_0x0000000001930000" filename = "" Region: id = 1571 start_va = 0x1960000 end_va = 0x19dffff entry_point = 0x0 region_type = private name = "private_0x0000000001960000" filename = "" Region: id = 1572 start_va = 0x1aa0000 end_va = 0x1b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001aa0000" filename = "" Region: id = 1573 start_va = 0x1bb0000 end_va = 0x1bbffff entry_point = 0x0 region_type = private name = "private_0x0000000001bb0000" filename = "" Region: id = 1574 start_va = 0x1bc0000 end_va = 0x1c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001bc0000" filename = "" Region: id = 1575 start_va = 0x1c40000 end_va = 0x1cbffff entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 1576 start_va = 0x1cc0000 end_va = 0x1d7ffff entry_point = 0x1cc0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1577 start_va = 0x1db0000 end_va = 0x1e2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 1578 start_va = 0x1f30000 end_va = 0x1faffff entry_point = 0x0 region_type = private name = "private_0x0000000001f30000" filename = "" Region: id = 1579 start_va = 0x1fb0000 end_va = 0x21affff entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 1580 start_va = 0x73f90000 end_va = 0x73f92fff entry_point = 0x73f90000 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 1581 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1582 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1583 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1584 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1585 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1586 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1587 start_va = 0xfff20000 end_va = 0xfff2afff entry_point = 0xfff20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1588 start_va = 0x7fef69e0000 end_va = 0x7fef69ebfff entry_point = 0x7fef69e0000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1589 start_va = 0x7fef6a30000 end_va = 0x7fef6b07fff entry_point = 0x7fef6a30000 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 1590 start_va = 0x7fef6d60000 end_va = 0x7fef6d67fff entry_point = 0x7fef6d60000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1591 start_va = 0x7fef6d70000 end_va = 0x7fef6de3fff entry_point = 0x7fef6d70000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 1592 start_va = 0x7fef7b60000 end_va = 0x7fef7b78fff entry_point = 0x7fef7b60000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 1593 start_va = 0x7fef7b80000 end_va = 0x7fef7b8ffff entry_point = 0x7fef7b80000 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 1594 start_va = 0x7fef7b90000 end_va = 0x7fef7ba1fff entry_point = 0x7fef7b90000 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 1595 start_va = 0x7fef7d00000 end_va = 0x7fef7d63fff entry_point = 0x7fef7d00000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 1596 start_va = 0x7fef7d70000 end_va = 0x7fef7de0fff entry_point = 0x7fef7d70000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1597 start_va = 0x7fef8860000 end_va = 0x7fef88dbfff entry_point = 0x7fef8860000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 1598 start_va = 0x7fefaef0000 end_va = 0x7fefaf07fff entry_point = 0x7fefaef0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1599 start_va = 0x7fefaf10000 end_va = 0x7fefaf20fff entry_point = 0x7fefaf10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1600 start_va = 0x7fefafe0000 end_va = 0x7fefb032fff entry_point = 0x7fefafe0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1601 start_va = 0x7fefb110000 end_va = 0x7fefb119fff entry_point = 0x7fefb110000 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 1602 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1603 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1604 start_va = 0x7fefb1c0000 end_va = 0x7fefb226fff entry_point = 0x7fefb1c0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1605 start_va = 0x7fefb300000 end_va = 0x7fefb314fff entry_point = 0x7fefb300000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1606 start_va = 0x7fefb990000 end_va = 0x7fefb9a8fff entry_point = 0x7fefb990000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 1607 start_va = 0x7fefb9b0000 end_va = 0x7fefb9c4fff entry_point = 0x7fefb9b0000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 1608 start_va = 0x7fefba30000 end_va = 0x7fefba3afff entry_point = 0x7fefba30000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 1609 start_va = 0x7fefbbb0000 end_va = 0x7fefbbc7fff entry_point = 0x7fefbbb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1610 start_va = 0x7fefc970000 end_va = 0x7fefc97bfff entry_point = 0x7fefc970000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1611 start_va = 0x7fefca40000 end_va = 0x7fefca46fff entry_point = 0x7fefca40000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1612 start_va = 0x7fefcb30000 end_va = 0x7fefcb4afff entry_point = 0x7fefcb30000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1613 start_va = 0x7fefcca0000 end_va = 0x7fefcca9fff entry_point = 0x7fefcca0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1614 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1615 start_va = 0x7fefcec0000 end_va = 0x7fefcf1afff entry_point = 0x7fefcec0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1616 start_va = 0x7fefd030000 end_va = 0x7fefd036fff entry_point = 0x7fefd030000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1617 start_va = 0x7fefd040000 end_va = 0x7fefd094fff entry_point = 0x7fefd040000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1618 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1619 start_va = 0x7fefd640000 end_va = 0x7fefd64afff entry_point = 0x7fefd640000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1620 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1621 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1622 start_va = 0x7fefd6b0000 end_va = 0x7fefd740fff entry_point = 0x7fefd6b0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1623 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1624 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1625 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1626 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1627 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1628 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1629 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1630 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1631 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1632 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1633 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1634 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1635 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1636 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1637 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1638 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1639 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1640 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1641 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 1642 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 1643 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 1644 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 1645 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 1646 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 1647 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 1648 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1649 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 1650 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 1651 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 1652 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 1653 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 1654 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Thread: id = 198 os_tid = 0x7ac Thread: id = 199 os_tid = 0x7a8 Thread: id = 200 os_tid = 0x780 Thread: id = 201 os_tid = 0x77c Thread: id = 202 os_tid = 0x758 Thread: id = 203 os_tid = 0x754 Thread: id = 204 os_tid = 0x61c Thread: id = 205 os_tid = 0x158 Thread: id = 206 os_tid = 0x154 Thread: id = 207 os_tid = 0x130 Thread: id = 208 os_tid = 0x12c Thread: id = 209 os_tid = 0x11c Thread: id = 306 os_tid = 0xa6c Thread: id = 404 os_tid = 0x5ac Thread: id = 414 os_tid = 0x324 Thread: id = 431 os_tid = 0x7fc Thread: id = 450 os_tid = 0x8b0 Thread: id = 461 os_tid = 0x820 Process: id = "12" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x8da9000" os_pid = "0x268" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x1d4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e915" [0xc000000f], "LOCAL" [0x7] Region: id = 999 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1000 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1001 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1002 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1003 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1004 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1005 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1006 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1007 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 1008 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1009 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 1010 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 1011 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1012 start_va = 0x1b0000 end_va = 0x1c9fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1013 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1014 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1015 start_va = 0x1f0000 end_va = 0x1fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1016 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 1017 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 1018 start_va = 0x220000 end_va = 0x22ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 1019 start_va = 0x230000 end_va = 0x23ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1020 start_va = 0x240000 end_va = 0x240fff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1021 start_va = 0x250000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1022 start_va = 0x260000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 1023 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 1024 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 1025 start_va = 0x470000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 1026 start_va = 0x480000 end_va = 0x480fff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 1027 start_va = 0x490000 end_va = 0x491fff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 1028 start_va = 0x4a0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 1029 start_va = 0x4b0000 end_va = 0x4b4fff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 1030 start_va = 0x4c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1031 start_va = 0x4d0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 1032 start_va = 0x4e0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 1033 start_va = 0x4f0000 end_va = 0x677fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 1034 start_va = 0x680000 end_va = 0x800fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 1035 start_va = 0x810000 end_va = 0x8cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 1036 start_va = 0x8d0000 end_va = 0xcc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 1037 start_va = 0xcd0000 end_va = 0xd8ffff entry_point = 0xcd0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1038 start_va = 0xd90000 end_va = 0xd90fff entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 1039 start_va = 0xda0000 end_va = 0xdaffff entry_point = 0xda0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 1040 start_va = 0xdb0000 end_va = 0xdbffff entry_point = 0xdb0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 1041 start_va = 0xdc0000 end_va = 0xdcffff entry_point = 0xdc0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 1042 start_va = 0xdd0000 end_va = 0xddffff entry_point = 0xdd0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 1043 start_va = 0xde0000 end_va = 0xe5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 1044 start_va = 0xe60000 end_va = 0xe6ffff entry_point = 0xe60000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 1045 start_va = 0xe70000 end_va = 0xe7ffff entry_point = 0xe70000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 1046 start_va = 0xe80000 end_va = 0xe8ffff entry_point = 0xe80000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 1047 start_va = 0xe90000 end_va = 0xe9ffff entry_point = 0xe90000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 1048 start_va = 0xea0000 end_va = 0xeaffff entry_point = 0xea0000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 1049 start_va = 0xeb0000 end_va = 0xf2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 1050 start_va = 0xf30000 end_va = 0x11fefff entry_point = 0xf30000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1051 start_va = 0x1200000 end_va = 0x127ffff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 1052 start_va = 0x1280000 end_va = 0x128ffff entry_point = 0x1280000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 1053 start_va = 0x1310000 end_va = 0x131ffff entry_point = 0x1310000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 1054 start_va = 0x1320000 end_va = 0x132ffff entry_point = 0x1320000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 1055 start_va = 0x1330000 end_va = 0x133ffff entry_point = 0x1330000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 1056 start_va = 0x1340000 end_va = 0x134ffff entry_point = 0x1340000 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 1057 start_va = 0x1350000 end_va = 0x135ffff entry_point = 0x0 region_type = private name = "private_0x0000000001350000" filename = "" Region: id = 1058 start_va = 0x1360000 end_va = 0x13dffff entry_point = 0x0 region_type = private name = "private_0x0000000001360000" filename = "" Region: id = 1059 start_va = 0x13e0000 end_va = 0x13effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013e0000" filename = "" Region: id = 1060 start_va = 0x13f0000 end_va = 0x13fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013f0000" filename = "" Region: id = 1061 start_va = 0x1400000 end_va = 0x140ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001400000" filename = "" Region: id = 1062 start_va = 0x1410000 end_va = 0x141ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001410000" filename = "" Region: id = 1063 start_va = 0x1420000 end_va = 0x142ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001420000" filename = "" Region: id = 1064 start_va = 0x1430000 end_va = 0x143ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001430000" filename = "" Region: id = 1065 start_va = 0x1440000 end_va = 0x144ffff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 1066 start_va = 0x1450000 end_va = 0x14cffff entry_point = 0x0 region_type = private name = "private_0x0000000001450000" filename = "" Region: id = 1067 start_va = 0x14d0000 end_va = 0x14dffff entry_point = 0x0 region_type = private name = "private_0x00000000014d0000" filename = "" Region: id = 1068 start_va = 0x14e0000 end_va = 0x155ffff entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 1069 start_va = 0x1560000 end_va = 0x15dffff entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 1070 start_va = 0x15e0000 end_va = 0x15effff entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 1071 start_va = 0x15f0000 end_va = 0x166ffff entry_point = 0x0 region_type = private name = "private_0x00000000015f0000" filename = "" Region: id = 1072 start_va = 0x1670000 end_va = 0x167ffff entry_point = 0x0 region_type = private name = "private_0x0000000001670000" filename = "" Region: id = 1073 start_va = 0x1680000 end_va = 0x16fffff entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Region: id = 1074 start_va = 0x1700000 end_va = 0x1700fff entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 1075 start_va = 0x1710000 end_va = 0x1710fff entry_point = 0x0 region_type = private name = "private_0x0000000001710000" filename = "" Region: id = 1076 start_va = 0x1720000 end_va = 0x172ffff entry_point = 0x0 region_type = private name = "private_0x0000000001720000" filename = "" Region: id = 1077 start_va = 0x1760000 end_va = 0x17dffff entry_point = 0x0 region_type = private name = "private_0x0000000001760000" filename = "" Region: id = 1078 start_va = 0x1810000 end_va = 0x188ffff entry_point = 0x0 region_type = private name = "private_0x0000000001810000" filename = "" Region: id = 1079 start_va = 0x18c0000 end_va = 0x19bffff entry_point = 0x0 region_type = private name = "private_0x00000000018c0000" filename = "" Region: id = 1080 start_va = 0x1a40000 end_va = 0x1abffff entry_point = 0x0 region_type = private name = "private_0x0000000001a40000" filename = "" Region: id = 1081 start_va = 0x1ac0000 end_va = 0x1bbffff entry_point = 0x0 region_type = private name = "private_0x0000000001ac0000" filename = "" Region: id = 1082 start_va = 0x1bd0000 end_va = 0x1bdffff entry_point = 0x0 region_type = private name = "private_0x0000000001bd0000" filename = "" Region: id = 1083 start_va = 0x1ca0000 end_va = 0x1caffff entry_point = 0x0 region_type = private name = "private_0x0000000001ca0000" filename = "" Region: id = 1084 start_va = 0x1cb0000 end_va = 0x1daffff entry_point = 0x0 region_type = private name = "private_0x0000000001cb0000" filename = "" Region: id = 1085 start_va = 0x1dd0000 end_va = 0x1e4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 1086 start_va = 0x1f10000 end_va = 0x1f8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f10000" filename = "" Region: id = 1087 start_va = 0x1f90000 end_va = 0x208ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 1088 start_va = 0x20d0000 end_va = 0x214ffff entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 1089 start_va = 0x2150000 end_va = 0x224ffff entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 1090 start_va = 0x2270000 end_va = 0x22effff entry_point = 0x0 region_type = private name = "private_0x0000000002270000" filename = "" Region: id = 1091 start_va = 0x2340000 end_va = 0x23bffff entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 1092 start_va = 0x23d0000 end_va = 0x244ffff entry_point = 0x0 region_type = private name = "private_0x00000000023d0000" filename = "" Region: id = 1093 start_va = 0x2450000 end_va = 0x254ffff entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 1094 start_va = 0x2580000 end_va = 0x258ffff entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 1095 start_va = 0x2590000 end_va = 0x358ffff entry_point = 0x0 region_type = private name = "private_0x0000000002590000" filename = "" Region: id = 1096 start_va = 0x3620000 end_va = 0x369ffff entry_point = 0x0 region_type = private name = "private_0x0000000003620000" filename = "" Region: id = 1097 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1098 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1099 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1100 start_va = 0x77a30000 end_va = 0x77a36fff entry_point = 0x77a30000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 1101 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1102 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1103 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1104 start_va = 0xfff20000 end_va = 0xfff2afff entry_point = 0xfff20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1105 start_va = 0x7fef4520000 end_va = 0x7fef4799fff entry_point = 0x7fef4520000 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 1106 start_va = 0x7fef6d60000 end_va = 0x7fef6d67fff entry_point = 0x7fef6d60000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1107 start_va = 0x7fef7940000 end_va = 0x7fef7950fff entry_point = 0x7fef7940000 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 1108 start_va = 0x7fef7d00000 end_va = 0x7fef7d63fff entry_point = 0x7fef7d00000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 1109 start_va = 0x7fef7d70000 end_va = 0x7fef7de0fff entry_point = 0x7fef7d70000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1110 start_va = 0x7fef7df0000 end_va = 0x7fef7e27fff entry_point = 0x7fef7df0000 region_type = mapped_file name = "ncsi.dll" filename = "\\Windows\\System32\\ncsi.dll" (normalized: "c:\\windows\\system32\\ncsi.dll") Region: id = 1111 start_va = 0x7fef7e30000 end_va = 0x7fef7e7dfff entry_point = 0x7fef7e30000 region_type = mapped_file name = "nlasvc.dll" filename = "\\Windows\\System32\\nlasvc.dll" (normalized: "c:\\windows\\system32\\nlasvc.dll") Region: id = 1112 start_va = 0x7fef7e80000 end_va = 0x7fef7e96fff entry_point = 0x7fef7e80000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1113 start_va = 0x7fef7ea0000 end_va = 0x7fef804ffff entry_point = 0x7fef7ea0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 1114 start_va = 0x7fef80c0000 end_va = 0x7fef80effff entry_point = 0x7fef80c0000 region_type = mapped_file name = "cryptsvc.dll" filename = "\\Windows\\System32\\cryptsvc.dll" (normalized: "c:\\windows\\system32\\cryptsvc.dll") Region: id = 1115 start_va = 0x7fef81c0000 end_va = 0x7fef81dffff entry_point = 0x7fef81c0000 region_type = mapped_file name = "wkssvc.dll" filename = "\\Windows\\System32\\wkssvc.dll" (normalized: "c:\\windows\\system32\\wkssvc.dll") Region: id = 1116 start_va = 0x7fefaef0000 end_va = 0x7fefaf07fff entry_point = 0x7fefaef0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1117 start_va = 0x7fefaf10000 end_va = 0x7fefaf20fff entry_point = 0x7fefaf10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1118 start_va = 0x7fefafd0000 end_va = 0x7fefafd6fff entry_point = 0x7fefafd0000 region_type = mapped_file name = "dnsext.dll" filename = "\\Windows\\System32\\dnsext.dll" (normalized: "c:\\windows\\system32\\dnsext.dll") Region: id = 1119 start_va = 0x7fefafe0000 end_va = 0x7fefb032fff entry_point = 0x7fefafe0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1120 start_va = 0x7fefb040000 end_va = 0x7fefb06ffff entry_point = 0x7fefb040000 region_type = mapped_file name = "dnsrslvr.dll" filename = "\\Windows\\System32\\dnsrslvr.dll" (normalized: "c:\\windows\\system32\\dnsrslvr.dll") Region: id = 1121 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1122 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1123 start_va = 0x7fefb1c0000 end_va = 0x7fefb226fff entry_point = 0x7fefb1c0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1124 start_va = 0x7fefb260000 end_va = 0x7fefb278fff entry_point = 0x7fefb260000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1125 start_va = 0x7fefb890000 end_va = 0x7fefb8a3fff entry_point = 0x7fefb890000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1126 start_va = 0x7fefb8b0000 end_va = 0x7fefb8c4fff entry_point = 0x7fefb8b0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1127 start_va = 0x7fefb8d0000 end_va = 0x7fefb8dbfff entry_point = 0x7fefb8d0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1128 start_va = 0x7fefba10000 end_va = 0x7fefba20fff entry_point = 0x7fefba10000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1129 start_va = 0x7fefbff0000 end_va = 0x7fefc00cfff entry_point = 0x7fefbff0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1130 start_va = 0x7fefc540000 end_va = 0x7fefc66bfff entry_point = 0x7fefc540000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1131 start_va = 0x7fefca40000 end_va = 0x7fefca46fff entry_point = 0x7fefca40000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1132 start_va = 0x7fefcb30000 end_va = 0x7fefcb4afff entry_point = 0x7fefcb30000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1133 start_va = 0x7fefcb50000 end_va = 0x7fefcb6dfff entry_point = 0x7fefcb50000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1134 start_va = 0x7fefcca0000 end_va = 0x7fefcca9fff entry_point = 0x7fefcca0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1135 start_va = 0x7fefcce0000 end_va = 0x7fefcd2bfff entry_point = 0x7fefcce0000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1136 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1137 start_va = 0x7fefcec0000 end_va = 0x7fefcf1afff entry_point = 0x7fefcec0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1138 start_va = 0x7fefd030000 end_va = 0x7fefd036fff entry_point = 0x7fefd030000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1139 start_va = 0x7fefd040000 end_va = 0x7fefd094fff entry_point = 0x7fefd040000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1140 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1141 start_va = 0x7fefd1b0000 end_va = 0x7fefd1e1fff entry_point = 0x7fefd1b0000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 1142 start_va = 0x7fefd210000 end_va = 0x7fefd231fff entry_point = 0x7fefd210000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1143 start_va = 0x7fefd2d0000 end_va = 0x7fefd33cfff entry_point = 0x7fefd2d0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1144 start_va = 0x7fefd640000 end_va = 0x7fefd64afff entry_point = 0x7fefd640000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1145 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1146 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1147 start_va = 0x7fefd750000 end_va = 0x7fefd78cfff entry_point = 0x7fefd750000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1148 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1149 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff entry_point = 0x7fefd7b0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1150 start_va = 0x7fefd850000 end_va = 0x7fefd85efff entry_point = 0x7fefd850000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1151 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1152 start_va = 0x7fefd990000 end_va = 0x7fefdaf6fff entry_point = 0x7fefd990000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1153 start_va = 0x7fefdb00000 end_va = 0x7fefdb35fff entry_point = 0x7fefdb00000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1154 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1155 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1156 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1157 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1158 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1159 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1160 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1161 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1162 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1163 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1164 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1165 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1166 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1167 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1168 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1169 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1170 start_va = 0x7fffff94000 end_va = 0x7fffff95fff entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 1171 start_va = 0x7fffff96000 end_va = 0x7fffff97fff entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 1172 start_va = 0x7fffff98000 end_va = 0x7fffff99fff entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 1173 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 1174 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 1175 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 1176 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 1177 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 1178 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 1179 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 1180 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 1181 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 1182 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1183 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 1184 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 1185 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 1186 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 1187 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1188 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 1189 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 210 os_tid = 0x8b4 Thread: id = 211 os_tid = 0x840 Thread: id = 212 os_tid = 0x7a4 Thread: id = 213 os_tid = 0x7a0 Thread: id = 214 os_tid = 0x798 Thread: id = 215 os_tid = 0x794 Thread: id = 216 os_tid = 0x744 Thread: id = 217 os_tid = 0x674 Thread: id = 218 os_tid = 0x654 Thread: id = 219 os_tid = 0x608 Thread: id = 220 os_tid = 0x5e8 Thread: id = 221 os_tid = 0x41c Thread: id = 222 os_tid = 0x418 Thread: id = 223 os_tid = 0x414 Thread: id = 224 os_tid = 0x3d8 Thread: id = 225 os_tid = 0x370 Thread: id = 226 os_tid = 0x2b0 Thread: id = 227 os_tid = 0x290 Thread: id = 307 os_tid = 0xa70 Thread: id = 432 os_tid = 0x4b4 Thread: id = 441 os_tid = 0x918 Thread: id = 442 os_tid = 0x8b8 Process: id = "13" image_name = "spoolsv.exe" filename = "c:\\windows\\system32\\spoolsv.exe" page_root = "0x5cb7000" os_pid = "0x4a8" os_integrity_level = "0x4000" os_privileges = "0x20a00080" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x1d4" cmd_line = "C:\\Windows\\System32\\spoolsv.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Spooler" [0xe], "NT AUTHORITY\\Logon Session 00000000:00010c67" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2915 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2916 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2917 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2918 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2919 start_va = 0x50000 end_va = 0x51fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2920 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2921 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 2922 start_va = 0xb0000 end_va = 0x116fff entry_point = 0xb0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2923 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 2924 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 2925 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2926 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2927 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 2928 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 2929 start_va = 0x410000 end_va = 0x597fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 2930 start_va = 0x5a0000 end_va = 0x720fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 2931 start_va = 0x730000 end_va = 0x1b2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 2932 start_va = 0x1b30000 end_va = 0x1f22fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b30000" filename = "" Region: id = 2933 start_va = 0x1f30000 end_va = 0x1f6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f30000" filename = "" Region: id = 2934 start_va = 0x1f90000 end_va = 0x1fcffff entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2935 start_va = 0x2060000 end_va = 0x20dffff entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 2936 start_va = 0x2180000 end_va = 0x21bffff entry_point = 0x0 region_type = private name = "private_0x0000000002180000" filename = "" Region: id = 2937 start_va = 0x2230000 end_va = 0x22affff entry_point = 0x0 region_type = private name = "private_0x0000000002230000" filename = "" Region: id = 2938 start_va = 0x23d0000 end_va = 0x23dffff entry_point = 0x0 region_type = private name = "private_0x00000000023d0000" filename = "" Region: id = 2939 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2940 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2941 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2942 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2943 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2944 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2945 start_va = 0xff0c0000 end_va = 0xff14bfff entry_point = 0xff0c0000 region_type = mapped_file name = "spoolsv.exe" filename = "\\Windows\\System32\\spoolsv.exe" (normalized: "c:\\windows\\system32\\spoolsv.exe") Region: id = 2946 start_va = 0x7fefb230000 end_va = 0x7fefb23afff entry_point = 0x7fefb230000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 2947 start_va = 0x7fefc6c0000 end_va = 0x7fefc6ebfff entry_point = 0x7fefc6c0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2948 start_va = 0x7fefcca0000 end_va = 0x7fefcca9fff entry_point = 0x7fefcca0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 2949 start_va = 0x7fefcec0000 end_va = 0x7fefcf1afff entry_point = 0x7fefcec0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2950 start_va = 0x7fefd640000 end_va = 0x7fefd64afff entry_point = 0x7fefd640000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2951 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2952 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2953 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2954 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2955 start_va = 0x7fefd970000 end_va = 0x7fefd989fff entry_point = 0x7fefd970000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2956 start_va = 0x7fefdb00000 end_va = 0x7fefdb35fff entry_point = 0x7fefdb00000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2957 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2958 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2959 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2960 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2961 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2962 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2963 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2964 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2965 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2966 start_va = 0x7feff300000 end_va = 0x7feff4d6fff entry_point = 0x7feff300000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2967 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2968 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2969 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2970 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2971 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2972 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2973 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2974 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2975 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2976 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2977 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 2978 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 3021 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 3022 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3023 start_va = 0x1fd0000 end_va = 0x200ffff entry_point = 0x0 region_type = private name = "private_0x0000000001fd0000" filename = "" Region: id = 3024 start_va = 0x23e0000 end_va = 0x26aefff entry_point = 0x23e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3025 start_va = 0x2810000 end_va = 0x288ffff entry_point = 0x0 region_type = private name = "private_0x0000000002810000" filename = "" Region: id = 3026 start_va = 0x7fef6be0000 end_va = 0x7fef6bf2fff entry_point = 0x7fef6be0000 region_type = mapped_file name = "umb.dll" filename = "\\Windows\\System32\\umb.dll" (normalized: "c:\\windows\\system32\\umb.dll") Region: id = 3027 start_va = 0x7fef6d60000 end_va = 0x7fef6d67fff entry_point = 0x7fef6d60000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 3028 start_va = 0x7fefafe0000 end_va = 0x7fefb032fff entry_point = 0x7fefafe0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3029 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3030 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3031 start_va = 0x7fefb260000 end_va = 0x7fefb278fff entry_point = 0x7fefb260000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 3032 start_va = 0x7fefca40000 end_va = 0x7fefca46fff entry_point = 0x7fefca40000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 3033 start_va = 0x7fefd030000 end_va = 0x7fefd036fff entry_point = 0x7fefd030000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 3034 start_va = 0x7fefd040000 end_va = 0x7fefd094fff entry_point = 0x7fefd040000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 3035 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3036 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 3037 start_va = 0x7fefd850000 end_va = 0x7fefd85efff entry_point = 0x7fefd850000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3038 start_va = 0x7fefd990000 end_va = 0x7fefdaf6fff entry_point = 0x7fefd990000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3039 start_va = 0x7fefdb40000 end_va = 0x7fefdb79fff entry_point = 0x7fefdb40000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 3040 start_va = 0x7fef43a0000 end_va = 0x7fef448dfff entry_point = 0x7fef43a0000 region_type = mapped_file name = "localspl.dll" filename = "\\Windows\\System32\\localspl.dll" (normalized: "c:\\windows\\system32\\localspl.dll") Region: id = 3041 start_va = 0x7fef4bb0000 end_va = 0x7fef4bc1fff entry_point = 0x7fef4bb0000 region_type = mapped_file name = "spoolss.dll" filename = "\\Windows\\System32\\spoolss.dll" (normalized: "c:\\windows\\system32\\spoolss.dll") Region: id = 3042 start_va = 0x7fefd5a0000 end_va = 0x7fefd5c2fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3043 start_va = 0x29b0000 end_va = 0x2a2ffff entry_point = 0x0 region_type = private name = "private_0x00000000029b0000" filename = "" Region: id = 3044 start_va = 0x7fef6930000 end_va = 0x7fef69a0fff entry_point = 0x7fef6930000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 3045 start_va = 0x22b0000 end_va = 0x23b0fff entry_point = 0x0 region_type = private name = "private_0x00000000022b0000" filename = "" Region: id = 3046 start_va = 0x27d0000 end_va = 0x27dffff entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 3047 start_va = 0x7fef9020000 end_va = 0x7fef902ffff entry_point = 0x7fef9020000 region_type = mapped_file name = "printisolationproxy.dll" filename = "\\Windows\\System32\\PrintIsolationProxy.dll" (normalized: "c:\\windows\\system32\\printisolationproxy.dll") Region: id = 3048 start_va = 0x7fef6bd0000 end_va = 0x7fef6bddfff entry_point = 0x7fef6bd0000 region_type = mapped_file name = "fxsmon.dll" filename = "\\Windows\\System32\\FXSMON.dll" (normalized: "c:\\windows\\system32\\fxsmon.dll") Region: id = 3049 start_va = 0x26b0000 end_va = 0x27affff entry_point = 0x0 region_type = private name = "private_0x00000000026b0000" filename = "" Region: id = 3050 start_va = 0x7fef4ab0000 end_va = 0x7fef4ae3fff entry_point = 0x7fef4ab0000 region_type = mapped_file name = "tcpmon.dll" filename = "\\Windows\\System32\\tcpmon.dll" (normalized: "c:\\windows\\system32\\tcpmon.dll") Region: id = 3051 start_va = 0x7fef4b80000 end_va = 0x7fef4b93fff entry_point = 0x7fef4b80000 region_type = mapped_file name = "wsnmp32.dll" filename = "\\Windows\\System32\\wsnmp32.dll" (normalized: "c:\\windows\\system32\\wsnmp32.dll") Region: id = 3052 start_va = 0x7fef4ba0000 end_va = 0x7fef4baafff entry_point = 0x7fef4ba0000 region_type = mapped_file name = "snmpapi.dll" filename = "\\Windows\\System32\\snmpapi.dll" (normalized: "c:\\windows\\system32\\snmpapi.dll") Region: id = 3053 start_va = 0x7fef4c30000 end_va = 0x7fef4e21fff entry_point = 0x7fef4c30000 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 3054 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3055 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x1a0000 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 3056 start_va = 0x1b0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3057 start_va = 0x2920000 end_va = 0x299ffff entry_point = 0x0 region_type = private name = "private_0x0000000002920000" filename = "" Region: id = 3058 start_va = 0x2ae0000 end_va = 0x2b5ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ae0000" filename = "" Region: id = 3059 start_va = 0x2bf0000 end_va = 0x2c6ffff entry_point = 0x0 region_type = private name = "private_0x0000000002bf0000" filename = "" Region: id = 3060 start_va = 0x2c70000 end_va = 0x2d2ffff entry_point = 0x2c70000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3061 start_va = 0x2d30000 end_va = 0x312ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d30000" filename = "" Region: id = 3062 start_va = 0x7fef4a30000 end_va = 0x7fef4a3efff entry_point = 0x7fef4a30000 region_type = mapped_file name = "usbmon.dll" filename = "\\Windows\\System32\\usbmon.dll" (normalized: "c:\\windows\\system32\\usbmon.dll") Region: id = 3063 start_va = 0x2a60000 end_va = 0x2a9ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a60000" filename = "" Region: id = 3064 start_va = 0x7fef4a20000 end_va = 0x7fef4a26fff entry_point = 0x7fef4a20000 region_type = mapped_file name = "wls0wndh.dll" filename = "\\Windows\\System32\\WlS0WndH.dll" (normalized: "c:\\windows\\system32\\wls0wndh.dll") Region: id = 3065 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 3076 start_va = 0x7fef4050000 end_va = 0x7fef416efff entry_point = 0x7fef4050000 region_type = mapped_file name = "webservices.dll" filename = "\\Windows\\System32\\webservices.dll" (normalized: "c:\\windows\\system32\\webservices.dll") Region: id = 3077 start_va = 0x7fef4170000 end_va = 0x7fef4200fff entry_point = 0x7fef4170000 region_type = mapped_file name = "wsdapi.dll" filename = "\\Windows\\System32\\WSDApi.dll" (normalized: "c:\\windows\\system32\\wsdapi.dll") Region: id = 3078 start_va = 0x7fef4210000 end_va = 0x7fef4249fff entry_point = 0x7fef4210000 region_type = mapped_file name = "wsdmon.dll" filename = "\\Windows\\System32\\WSDMon.dll" (normalized: "c:\\windows\\system32\\wsdmon.dll") Region: id = 3079 start_va = 0x7fefc970000 end_va = 0x7fefc97bfff entry_point = 0x7fefc970000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3080 start_va = 0x7fefc980000 end_va = 0x7fefca3afff entry_point = 0x7fefc980000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 3081 start_va = 0x28c0000 end_va = 0x28fffff entry_point = 0x0 region_type = private name = "private_0x00000000028c0000" filename = "" Region: id = 3082 start_va = 0x7fef4010000 end_va = 0x7fef4042fff entry_point = 0x7fef4010000 region_type = mapped_file name = "fundisc.dll" filename = "\\Windows\\System32\\fundisc.dll" (normalized: "c:\\windows\\system32\\fundisc.dll") Region: id = 3083 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 3084 start_va = 0x31b0000 end_va = 0x31effff entry_point = 0x0 region_type = private name = "private_0x00000000031b0000" filename = "" Region: id = 3085 start_va = 0x7fef4a10000 end_va = 0x7fef4a1ffff entry_point = 0x7fef4a10000 region_type = mapped_file name = "fdpnp.dll" filename = "\\Windows\\System32\\fdPnp.dll" (normalized: "c:\\windows\\system32\\fdpnp.dll") Region: id = 3086 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 3087 start_va = 0x2010000 end_va = 0x204ffff entry_point = 0x0 region_type = private name = "private_0x0000000002010000" filename = "" Region: id = 3088 start_va = 0x2ba0000 end_va = 0x2bdffff entry_point = 0x0 region_type = private name = "private_0x0000000002ba0000" filename = "" Region: id = 3089 start_va = 0x3210000 end_va = 0x324ffff entry_point = 0x0 region_type = private name = "private_0x0000000003210000" filename = "" Region: id = 3090 start_va = 0x3250000 end_va = 0x334ffff entry_point = 0x0 region_type = private name = "private_0x0000000003250000" filename = "" Region: id = 3091 start_va = 0x3370000 end_va = 0x337ffff entry_point = 0x0 region_type = private name = "private_0x0000000003370000" filename = "" Region: id = 3092 start_va = 0x7fef4a00000 end_va = 0x7fef4a0dfff entry_point = 0x7fef4a00000 region_type = mapped_file name = "winprint.dll" filename = "\\Windows\\System32\\spool\\prtprocs\\x64\\winprint.dll" (normalized: "c:\\windows\\system32\\spool\\prtprocs\\x64\\winprint.dll") Region: id = 3093 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 3094 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 3095 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 3096 start_va = 0x7fefcb30000 end_va = 0x7fefcb4afff entry_point = 0x7fefcb30000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 3097 start_va = 0x7fefcb50000 end_va = 0x7fefcb6dfff entry_point = 0x7fefcb50000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3098 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff entry_point = 0x7fefd7b0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3099 start_va = 0x3160000 end_va = 0x319ffff entry_point = 0x0 region_type = private name = "private_0x0000000003160000" filename = "" Region: id = 3100 start_va = 0x7fefb240000 end_va = 0x7fefb24bfff entry_point = 0x7fefb240000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 3101 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 3102 start_va = 0x33b0000 end_va = 0x33effff entry_point = 0x0 region_type = private name = "private_0x00000000033b0000" filename = "" Region: id = 3103 start_va = 0x3460000 end_va = 0x349ffff entry_point = 0x0 region_type = private name = "private_0x0000000003460000" filename = "" Region: id = 3104 start_va = 0x7fef3f50000 end_va = 0x7fef400cfff entry_point = 0x7fef3f50000 region_type = mapped_file name = "win32spl.dll" filename = "\\Windows\\System32\\win32spl.dll" (normalized: "c:\\windows\\system32\\win32spl.dll") Region: id = 3105 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 3106 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 3107 start_va = 0x7fefcb70000 end_va = 0x7fefcb81fff entry_point = 0x7fefcb70000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 3108 start_va = 0x7fefcb90000 end_va = 0x7fefcbaefff entry_point = 0x7fefcb90000 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 3109 start_va = 0x7fef4370000 end_va = 0x7fef439cfff entry_point = 0x7fef4370000 region_type = mapped_file name = "inetpp.dll" filename = "\\Windows\\System32\\inetpp.dll" (normalized: "c:\\windows\\system32\\inetpp.dll") Region: id = 3110 start_va = 0x2140000 end_va = 0x214ffff entry_point = 0x0 region_type = private name = "private_0x0000000002140000" filename = "" Region: id = 3111 start_va = 0x2b60000 end_va = 0x2b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b60000" filename = "" Region: id = 3112 start_va = 0x7fef92d0000 end_va = 0x7fef92defff entry_point = 0x7fef92d0000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 3113 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 3114 start_va = 0x3210000 end_va = 0x324ffff entry_point = 0x0 region_type = private name = "private_0x0000000003210000" filename = "" Region: id = 3115 start_va = 0x34f0000 end_va = 0x352ffff entry_point = 0x0 region_type = private name = "private_0x00000000034f0000" filename = "" Region: id = 3116 start_va = 0x7fefb8d0000 end_va = 0x7fefb8dbfff entry_point = 0x7fefb8d0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3117 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3118 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3119 start_va = 0x7fefd750000 end_va = 0x7fefd78cfff entry_point = 0x7fefd750000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3120 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Thread: id = 228 os_tid = 0x4cc Thread: id = 229 os_tid = 0x4c8 Thread: id = 230 os_tid = 0x4c0 Thread: id = 231 os_tid = 0x4bc Thread: id = 232 os_tid = 0x4b4 Thread: id = 233 os_tid = 0x4ac Thread: id = 361 os_tid = 0xbc0 Thread: id = 369 os_tid = 0xbe8 Thread: id = 370 os_tid = 0xbec Thread: id = 371 os_tid = 0xbf0 Thread: id = 372 os_tid = 0xbf4 Thread: id = 373 os_tid = 0xbf8 Thread: id = 374 os_tid = 0xbfc Thread: id = 375 os_tid = 0x804 Thread: id = 376 os_tid = 0x240 Thread: id = 377 os_tid = 0x304 Thread: id = 378 os_tid = 0x67c Thread: id = 379 os_tid = 0x600 Thread: id = 380 os_tid = 0x3b8 Thread: id = 381 os_tid = 0x3c8 Thread: id = 382 os_tid = 0x6b8 Thread: id = 433 os_tid = 0x528 Thread: id = 477 os_tid = 0x950 Process: id = "14" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0x7cf000" os_pid = "0x4d0" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x1d4" cmd_line = "\"taskhost.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e814" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1693 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1694 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1695 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1696 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 1697 start_va = 0xc0000 end_va = 0x126fff entry_point = 0xc0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1698 start_va = 0x130000 end_va = 0x131fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1699 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 1700 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1701 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 1702 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 1703 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 1704 start_va = 0x190000 end_va = 0x191fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1705 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x1a0000 region_type = mapped_file name = "msutb.dll.mui" filename = "\\Windows\\System32\\en-US\\msutb.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\msutb.dll.mui") Region: id = 1706 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1707 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1708 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1709 start_va = 0x430000 end_va = 0x5b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 1710 start_va = 0x5c0000 end_va = 0x740fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 1711 start_va = 0x750000 end_va = 0x1b4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 1712 start_va = 0x1b50000 end_va = 0x1f42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b50000" filename = "" Region: id = 1713 start_va = 0x1f50000 end_va = 0x202efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 1714 start_va = 0x2030000 end_va = 0x206ffff entry_point = 0x0 region_type = private name = "private_0x0000000002030000" filename = "" Region: id = 1715 start_va = 0x2070000 end_va = 0x2070fff entry_point = 0x0 region_type = private name = "private_0x0000000002070000" filename = "" Region: id = 1716 start_va = 0x2080000 end_va = 0x20fffff entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 1717 start_va = 0x2100000 end_va = 0x2100fff entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 1718 start_va = 0x2130000 end_va = 0x21affff entry_point = 0x0 region_type = private name = "private_0x0000000002130000" filename = "" Region: id = 1719 start_va = 0x21b0000 end_va = 0x226ffff entry_point = 0x21b0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1720 start_va = 0x2270000 end_va = 0x22effff entry_point = 0x0 region_type = private name = "private_0x0000000002270000" filename = "" Region: id = 1721 start_va = 0x2330000 end_va = 0x23affff entry_point = 0x0 region_type = private name = "private_0x0000000002330000" filename = "" Region: id = 1722 start_va = 0x23e0000 end_va = 0x245ffff entry_point = 0x0 region_type = private name = "private_0x00000000023e0000" filename = "" Region: id = 1723 start_va = 0x24a0000 end_va = 0x24affff entry_point = 0x0 region_type = private name = "private_0x00000000024a0000" filename = "" Region: id = 1724 start_va = 0x2620000 end_va = 0x269ffff entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 1725 start_va = 0x26a0000 end_va = 0x271ffff entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 1726 start_va = 0x2720000 end_va = 0x279ffff entry_point = 0x0 region_type = private name = "private_0x0000000002720000" filename = "" Region: id = 1727 start_va = 0x27f0000 end_va = 0x286ffff entry_point = 0x0 region_type = private name = "private_0x00000000027f0000" filename = "" Region: id = 1728 start_va = 0x28b0000 end_va = 0x292ffff entry_point = 0x0 region_type = private name = "private_0x00000000028b0000" filename = "" Region: id = 1729 start_va = 0x2930000 end_va = 0x2bfefff entry_point = 0x2930000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1730 start_va = 0x2c60000 end_va = 0x2cdffff entry_point = 0x0 region_type = private name = "private_0x0000000002c60000" filename = "" Region: id = 1731 start_va = 0x2d80000 end_va = 0x2dfffff entry_point = 0x0 region_type = private name = "private_0x0000000002d80000" filename = "" Region: id = 1732 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1733 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1734 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1735 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1736 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1737 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1738 start_va = 0xffe50000 end_va = 0xffe63fff entry_point = 0xffe50000 region_type = mapped_file name = "taskhost.exe" filename = "\\Windows\\System32\\taskhost.exe" (normalized: "c:\\windows\\system32\\taskhost.exe") Region: id = 1739 start_va = 0x7fef69e0000 end_va = 0x7fef69ebfff entry_point = 0x7fef69e0000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1740 start_va = 0x7fef6d50000 end_va = 0x7fef6d5dfff entry_point = 0x7fef6d50000 region_type = mapped_file name = "dimsjob.dll" filename = "\\Windows\\System32\\dimsjob.dll" (normalized: "c:\\windows\\system32\\dimsjob.dll") Region: id = 1741 start_va = 0x7fef6d70000 end_va = 0x7fef6de3fff entry_point = 0x7fef6d70000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 1742 start_va = 0x7fef8180000 end_va = 0x7fef81bafff entry_point = 0x7fef8180000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Region: id = 1743 start_va = 0x7fef8be0000 end_va = 0x7fef8c1cfff entry_point = 0x7fef8be0000 region_type = mapped_file name = "msutb.dll" filename = "\\Windows\\System32\\msutb.dll" (normalized: "c:\\windows\\system32\\msutb.dll") Region: id = 1744 start_va = 0x7fef8c20000 end_va = 0x7fef8c2afff entry_point = 0x7fef8c20000 region_type = mapped_file name = "msctfmonitor.dll" filename = "\\Windows\\System32\\MsCtfMonitor.dll" (normalized: "c:\\windows\\system32\\msctfmonitor.dll") Region: id = 1745 start_va = 0x7fef8c30000 end_va = 0x7fef8c3afff entry_point = 0x7fef8c30000 region_type = mapped_file name = "hotstartuseragent.dll" filename = "\\Windows\\System32\\HotStartUserAgent.dll" (normalized: "c:\\windows\\system32\\hotstartuseragent.dll") Region: id = 1746 start_va = 0x7fef9170000 end_va = 0x7fef9187fff entry_point = 0x7fef9170000 region_type = mapped_file name = "playsndsrv.dll" filename = "\\Windows\\System32\\PlaySndSrv.dll" (normalized: "c:\\windows\\system32\\playsndsrv.dll") Region: id = 1747 start_va = 0x7fefb230000 end_va = 0x7fefb23afff entry_point = 0x7fefb230000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 1748 start_va = 0x7fefb240000 end_va = 0x7fefb24bfff entry_point = 0x7fefb240000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1749 start_va = 0x7fefb300000 end_va = 0x7fefb314fff entry_point = 0x7fefb300000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1750 start_va = 0x7fefb3f0000 end_va = 0x7fefb516fff entry_point = 0x7fefb3f0000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 1751 start_va = 0x7fefba10000 end_va = 0x7fefba20fff entry_point = 0x7fefba10000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1752 start_va = 0x7fefbbb0000 end_va = 0x7fefbbc7fff entry_point = 0x7fefbbb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1753 start_va = 0x7fefbf90000 end_va = 0x7fefbfe5fff entry_point = 0x7fefbf90000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1754 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1755 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1756 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1757 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1758 start_va = 0x7fefd750000 end_va = 0x7fefd78cfff entry_point = 0x7fefd750000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1759 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1760 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1761 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1762 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1763 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1764 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1765 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1766 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1767 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1768 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1769 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1770 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1771 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1772 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1773 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1774 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1775 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1776 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 1777 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 1778 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 1779 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 1780 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 1781 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 1782 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1783 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 1784 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 1785 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 1786 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1787 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 1788 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 234 os_tid = 0x7f4 Thread: id = 235 os_tid = 0x7e0 Thread: id = 236 os_tid = 0x7d0 Thread: id = 237 os_tid = 0x7c8 Thread: id = 238 os_tid = 0x7c4 Thread: id = 239 os_tid = 0x7bc Thread: id = 240 os_tid = 0x504 Thread: id = 241 os_tid = 0x500 Thread: id = 242 os_tid = 0x4f0 Thread: id = 243 os_tid = 0x4e4 Thread: id = 244 os_tid = 0x4d4 Thread: id = 308 os_tid = 0xa74 Thread: id = 393 os_tid = 0x84c Thread: id = 408 os_tid = 0x1c4 Process: id = "15" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xf1e000" os_pid = "0x4d8" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x1d4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BFE" [0xe], "NT SERVICE\\DPS" [0xa], "NT SERVICE\\MpsSvc" [0xa], "NT SERVICE\\pla" [0xa], "NT SERVICE\\WwanSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0001120a" [0xc000000f], "LOCAL" [0x7], "NT AUTHORITY\\WRITE RESTRICTED" [0x7] Region: id = 2177 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2178 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2179 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2180 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2181 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2182 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2183 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2184 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 2185 start_va = 0xf0000 end_va = 0x10bfff entry_point = 0xf0000 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 2186 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 2187 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 2188 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 2189 start_va = 0x140000 end_va = 0x147fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 2190 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 2191 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2192 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 2193 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2194 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 2195 start_va = 0x330000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 2196 start_va = 0x3e0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 2197 start_va = 0x4e0000 end_va = 0x667fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 2198 start_va = 0x670000 end_va = 0x7f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 2199 start_va = 0x800000 end_va = 0x8bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 2200 start_va = 0x8c0000 end_va = 0xcb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 2201 start_va = 0xcc0000 end_va = 0xcc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cc0000" filename = "" Region: id = 2202 start_va = 0xce0000 end_va = 0xd5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 2203 start_va = 0xd80000 end_va = 0xdfffff entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 2204 start_va = 0xe00000 end_va = 0xe7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 2205 start_va = 0xee0000 end_va = 0xf5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 2206 start_va = 0xf60000 end_va = 0x122efff entry_point = 0xf60000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2207 start_va = 0x1270000 end_va = 0x12effff entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 2208 start_va = 0x1310000 end_va = 0x138ffff entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 2209 start_va = 0x13c0000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 2210 start_va = 0x14a0000 end_va = 0x151ffff entry_point = 0x0 region_type = private name = "private_0x00000000014a0000" filename = "" Region: id = 2211 start_va = 0x1520000 end_va = 0x159ffff entry_point = 0x0 region_type = private name = "private_0x0000000001520000" filename = "" Region: id = 2212 start_va = 0x15c0000 end_va = 0x163ffff entry_point = 0x0 region_type = private name = "private_0x00000000015c0000" filename = "" Region: id = 2213 start_va = 0x16d0000 end_va = 0x174ffff entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 2214 start_va = 0x1750000 end_va = 0x184ffff entry_point = 0x0 region_type = private name = "private_0x0000000001750000" filename = "" Region: id = 2215 start_va = 0x1850000 end_va = 0x18cffff entry_point = 0x0 region_type = private name = "private_0x0000000001850000" filename = "" Region: id = 2216 start_va = 0x1960000 end_va = 0x19dffff entry_point = 0x0 region_type = private name = "private_0x0000000001960000" filename = "" Region: id = 2217 start_va = 0x19e0000 end_va = 0x1a5ffff entry_point = 0x0 region_type = private name = "private_0x00000000019e0000" filename = "" Region: id = 2218 start_va = 0x1a60000 end_va = 0x1b5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a60000" filename = "" Region: id = 2219 start_va = 0x1b90000 end_va = 0x1c0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b90000" filename = "" Region: id = 2220 start_va = 0x1c80000 end_va = 0x1cfffff entry_point = 0x0 region_type = private name = "private_0x0000000001c80000" filename = "" Region: id = 2221 start_va = 0x1ed0000 end_va = 0x1f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 2222 start_va = 0x1f50000 end_va = 0x214ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f50000" filename = "" Region: id = 2223 start_va = 0x2350000 end_va = 0x23cffff entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 2224 start_va = 0x2400000 end_va = 0x247ffff entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 2225 start_va = 0x2480000 end_va = 0x24fffff entry_point = 0x0 region_type = private name = "private_0x0000000002480000" filename = "" Region: id = 2226 start_va = 0x2530000 end_va = 0x25affff entry_point = 0x0 region_type = private name = "private_0x0000000002530000" filename = "" Region: id = 2227 start_va = 0x25c0000 end_va = 0x26dffff entry_point = 0x0 region_type = private name = "private_0x00000000025c0000" filename = "" Region: id = 2228 start_va = 0x26e0000 end_va = 0x28e0fff entry_point = 0x0 region_type = private name = "private_0x00000000026e0000" filename = "" Region: id = 2229 start_va = 0x2a90000 end_va = 0x2a9ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a90000" filename = "" Region: id = 2230 start_va = 0x2aa0000 end_va = 0x2c9ffff entry_point = 0x0 region_type = private name = "private_0x0000000002aa0000" filename = "" Region: id = 2231 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2232 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2233 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2234 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2235 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2236 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2237 start_va = 0xfff20000 end_va = 0xfff2afff entry_point = 0xfff20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2238 start_va = 0x7fef69e0000 end_va = 0x7fef69ebfff entry_point = 0x7fef69e0000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 2239 start_va = 0x7fef69f0000 end_va = 0x7fef69fcfff entry_point = 0x7fef69f0000 region_type = mapped_file name = "wdiasqmmodule.dll" filename = "\\Windows\\System32\\wdiasqmmodule.dll" (normalized: "c:\\windows\\system32\\wdiasqmmodule.dll") Region: id = 2240 start_va = 0x7fef6a00000 end_va = 0x7fef6a1cfff entry_point = 0x7fef6a00000 region_type = mapped_file name = "radardt.dll" filename = "\\Windows\\System32\\radardt.dll" (normalized: "c:\\windows\\system32\\radardt.dll") Region: id = 2241 start_va = 0x7fef6a20000 end_va = 0x7fef6a27fff entry_point = 0x7fef6a20000 region_type = mapped_file name = "pnpts.dll" filename = "\\Windows\\System32\\pnpts.dll" (normalized: "c:\\windows\\system32\\pnpts.dll") Region: id = 2242 start_va = 0x7fef6c00000 end_va = 0x7fef6d49fff entry_point = 0x7fef6c00000 region_type = mapped_file name = "diagperf.dll" filename = "\\Windows\\System32\\diagperf.dll" (normalized: "c:\\windows\\system32\\diagperf.dll") Region: id = 2243 start_va = 0x7fef6d70000 end_va = 0x7fef6de3fff entry_point = 0x7fef6d70000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 2244 start_va = 0x7fef7b60000 end_va = 0x7fef7b78fff entry_point = 0x7fef7b60000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 2245 start_va = 0x7fef7bf0000 end_va = 0x7fef7bf9fff entry_point = 0x7fef7bf0000 region_type = mapped_file name = "wfapigp.dll" filename = "\\Windows\\System32\\wfapigp.dll" (normalized: "c:\\windows\\system32\\wfapigp.dll") Region: id = 2246 start_va = 0x7fef8050000 end_va = 0x7fef807bfff entry_point = 0x7fef8050000 region_type = mapped_file name = "dps.dll" filename = "\\Windows\\System32\\dps.dll" (normalized: "c:\\windows\\system32\\dps.dll") Region: id = 2247 start_va = 0x7fef90a0000 end_va = 0x7fef916dfff entry_point = 0x7fef90a0000 region_type = mapped_file name = "mpssvc.dll" filename = "\\Windows\\System32\\MPSSVC.dll" (normalized: "c:\\windows\\system32\\mpssvc.dll") Region: id = 2248 start_va = 0x7fef9190000 end_va = 0x7fef923ffff entry_point = 0x7fef9190000 region_type = mapped_file name = "bfe.dll" filename = "\\Windows\\System32\\BFE.DLL" (normalized: "c:\\windows\\system32\\bfe.dll") Region: id = 2249 start_va = 0x7fefaef0000 end_va = 0x7fefaf07fff entry_point = 0x7fefaef0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2250 start_va = 0x7fefaf10000 end_va = 0x7fefaf20fff entry_point = 0x7fefaf10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2251 start_va = 0x7fefafe0000 end_va = 0x7fefb032fff entry_point = 0x7fefafe0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2252 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2253 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2254 start_va = 0x7fefb230000 end_va = 0x7fefb23afff entry_point = 0x7fefb230000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 2255 start_va = 0x7fefb300000 end_va = 0x7fefb314fff entry_point = 0x7fefb300000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 2256 start_va = 0x7fefb3f0000 end_va = 0x7fefb516fff entry_point = 0x7fefb3f0000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 2257 start_va = 0x7fefba10000 end_va = 0x7fefba20fff entry_point = 0x7fefba10000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2258 start_va = 0x7fefc7a0000 end_va = 0x7fefc7ccfff entry_point = 0x7fefc7a0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2259 start_va = 0x7fefc970000 end_va = 0x7fefc97bfff entry_point = 0x7fefc970000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2260 start_va = 0x7fefc980000 end_va = 0x7fefca3afff entry_point = 0x7fefc980000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2261 start_va = 0x7fefca40000 end_va = 0x7fefca46fff entry_point = 0x7fefca40000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 2262 start_va = 0x7fefcb30000 end_va = 0x7fefcb4afff entry_point = 0x7fefcb30000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2263 start_va = 0x7fefcb50000 end_va = 0x7fefcb6dfff entry_point = 0x7fefcb50000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2264 start_va = 0x7fefcca0000 end_va = 0x7fefcca9fff entry_point = 0x7fefcca0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 2265 start_va = 0x7fefccb0000 end_va = 0x7fefccbcfff entry_point = 0x7fefccb0000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 2266 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2267 start_va = 0x7fefd030000 end_va = 0x7fefd036fff entry_point = 0x7fefd030000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 2268 start_va = 0x7fefd040000 end_va = 0x7fefd094fff entry_point = 0x7fefd040000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2269 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2270 start_va = 0x7fefd210000 end_va = 0x7fefd231fff entry_point = 0x7fefd210000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2271 start_va = 0x7fefd290000 end_va = 0x7fefd2befff entry_point = 0x7fefd290000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 2272 start_va = 0x7fefd640000 end_va = 0x7fefd64afff entry_point = 0x7fefd640000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2273 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2274 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2275 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2276 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff entry_point = 0x7fefd7b0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2277 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2278 start_va = 0x7fefdb00000 end_va = 0x7fefdb35fff entry_point = 0x7fefdb00000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2279 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2280 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2281 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2282 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2283 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2284 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2285 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2286 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2287 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2288 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2289 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2290 start_va = 0x7feff600000 end_va = 0x7feff651fff entry_point = 0x7feff600000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2291 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2292 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2293 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2294 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2295 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2296 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 2297 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 2298 start_va = 0x7fffff90000 end_va = 0x7fffff91fff entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 2299 start_va = 0x7fffff92000 end_va = 0x7fffff93fff entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 2300 start_va = 0x7fffff96000 end_va = 0x7fffff97fff entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 2301 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 2302 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 2303 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 2304 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 2305 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 2306 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 2307 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 2308 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 2309 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2310 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2311 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2312 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2313 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2314 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2315 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2316 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 2317 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 2318 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Thread: id = 245 os_tid = 0x544 Thread: id = 246 os_tid = 0x778 Thread: id = 247 os_tid = 0x774 Thread: id = 248 os_tid = 0x770 Thread: id = 249 os_tid = 0x710 Thread: id = 250 os_tid = 0x634 Thread: id = 251 os_tid = 0x630 Thread: id = 252 os_tid = 0x62c Thread: id = 253 os_tid = 0x628 Thread: id = 254 os_tid = 0x60c Thread: id = 255 os_tid = 0x5f8 Thread: id = 256 os_tid = 0x5cc Thread: id = 257 os_tid = 0x550 Thread: id = 258 os_tid = 0x53c Thread: id = 259 os_tid = 0x51c Thread: id = 260 os_tid = 0x510 Thread: id = 261 os_tid = 0x50c Thread: id = 262 os_tid = 0x4f8 Thread: id = 263 os_tid = 0x4f4 Thread: id = 264 os_tid = 0x4e8 Thread: id = 265 os_tid = 0x4dc Thread: id = 310 os_tid = 0xa84 Thread: id = 434 os_tid = 0x750 Thread: id = 445 os_tid = 0x8a8 Process: id = "16" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0x690a1000" os_pid = "0x474" os_integrity_level = "0x4000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x1d4" cmd_line = "taskhost.exe $(Arg0)" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT TASK\\Microsoft-Windows-SideShow-AutoWake" [0xe], "NT TASK\\Microsoft-Windows-SideShow-SystemDataProviders" [0xe], "NT TASK\\Microsoft-Windows-Customer Experience Improvement Program-UsbCeip" [0xe], "NT TASK\\Microsoft-Windows-Ras-MobilityManager" [0xe], "NT TASK\\Microsoft-Windows-PerfTrack-BackgroundConfigSurveyor" [0xe], "NT TASK\\Microsoft-Windows-RAC-RacTask" [0xe], "NT TASK\\Microsoft-Windows-Customer Experience Improvement Program-KernelCeipTask" [0xe], "NT AUTHORITY\\Logon Session 00000000:00027fa4" [0xc0000007], "LOCAL" [0x7] Region: id = 2322 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2323 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2324 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2325 start_va = 0x40000 end_va = 0x41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2326 start_va = 0x50000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2327 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2328 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2329 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2330 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2331 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 2332 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 2333 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 2334 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 2335 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2336 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x2b0000 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 2337 start_va = 0x2c0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 2338 start_va = 0x2e0000 end_va = 0x2e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 2339 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 2340 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 2341 start_va = 0x400000 end_va = 0x587fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 2342 start_va = 0x590000 end_va = 0x710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 2343 start_va = 0x720000 end_va = 0x7dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 2344 start_va = 0x7e0000 end_va = 0xbd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 2345 start_va = 0xbe0000 end_va = 0xc5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 2346 start_va = 0xc70000 end_va = 0xc71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c70000" filename = "" Region: id = 2347 start_va = 0xca0000 end_va = 0xca0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 2348 start_va = 0xcb0000 end_va = 0xcb1fff entry_point = 0xcb0000 region_type = mapped_file name = "winsatapi.dll.mui" filename = "\\Windows\\System32\\en-US\\WinSATAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winsatapi.dll.mui") Region: id = 2349 start_va = 0xcc0000 end_va = 0xcc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cc0000" filename = "" Region: id = 2350 start_va = 0xcd0000 end_va = 0xcdffff entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 2351 start_va = 0xce0000 end_va = 0xd5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 2352 start_va = 0xd60000 end_va = 0xd6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 2353 start_va = 0xd70000 end_va = 0xd70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 2354 start_va = 0xd80000 end_va = 0xd8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 2355 start_va = 0xd90000 end_va = 0xd90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d90000" filename = "" Region: id = 2356 start_va = 0xda0000 end_va = 0xe1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 2357 start_va = 0xe20000 end_va = 0xe2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e20000" filename = "" Region: id = 2358 start_va = 0xe30000 end_va = 0xe32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e30000" filename = "" Region: id = 2359 start_va = 0xe90000 end_va = 0xf0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 2360 start_va = 0xf30000 end_va = 0xfaffff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 2361 start_va = 0xfc0000 end_va = 0x103ffff entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 2362 start_va = 0x1080000 end_va = 0x10fffff entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 2363 start_va = 0x1120000 end_va = 0x119ffff entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 2364 start_va = 0x11c0000 end_va = 0x123ffff entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 2365 start_va = 0x1240000 end_va = 0x150bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Region: id = 2366 start_va = 0x1510000 end_va = 0x158ffff entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 2367 start_va = 0x15c0000 end_va = 0x163ffff entry_point = 0x0 region_type = private name = "private_0x00000000015c0000" filename = "" Region: id = 2368 start_va = 0x1640000 end_va = 0x190efff entry_point = 0x1640000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2369 start_va = 0x1960000 end_va = 0x19dffff entry_point = 0x0 region_type = private name = "private_0x0000000001960000" filename = "" Region: id = 2370 start_va = 0x19e0000 end_va = 0x1a9ffff entry_point = 0x19e0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2371 start_va = 0x1aa0000 end_va = 0x1e9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001aa0000" filename = "" Region: id = 2372 start_va = 0x1ed0000 end_va = 0x1f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 2373 start_va = 0x1f60000 end_va = 0x1fdffff entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 2374 start_va = 0x20c0000 end_va = 0x21bffff entry_point = 0x0 region_type = private name = "private_0x00000000020c0000" filename = "" Region: id = 2375 start_va = 0x21d0000 end_va = 0x224ffff entry_point = 0x0 region_type = private name = "private_0x00000000021d0000" filename = "" Region: id = 2376 start_va = 0x2250000 end_va = 0x244ffff entry_point = 0x0 region_type = private name = "private_0x0000000002250000" filename = "" Region: id = 2377 start_va = 0x2450000 end_va = 0x254ffff entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 2378 start_va = 0x25c0000 end_va = 0x263ffff entry_point = 0x0 region_type = private name = "private_0x00000000025c0000" filename = "" Region: id = 2379 start_va = 0x2640000 end_va = 0x26c9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002640000" filename = "" Region: id = 2380 start_va = 0x26d0000 end_va = 0x2759fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000026d0000" filename = "" Region: id = 2381 start_va = 0x27d0000 end_va = 0x284ffff entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 2382 start_va = 0x2850000 end_va = 0x2b1bfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002850000" filename = "" Region: id = 2383 start_va = 0x2ba0000 end_va = 0x2c1ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ba0000" filename = "" Region: id = 2384 start_va = 0x2c40000 end_va = 0x2cbffff entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 2385 start_va = 0x2cd0000 end_va = 0x2d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002cd0000" filename = "" Region: id = 2386 start_va = 0x73f90000 end_va = 0x73f92fff entry_point = 0x73f90000 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 2387 start_va = 0x74170000 end_va = 0x74212fff entry_point = 0x74170000 region_type = mapped_file name = "msvcr90.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\\msvcr90.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\\msvcr90.dll") Region: id = 2388 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2389 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2390 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2391 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2392 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2393 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2394 start_va = 0xffe50000 end_va = 0xffe63fff entry_point = 0xffe50000 region_type = mapped_file name = "taskhost.exe" filename = "\\Windows\\System32\\taskhost.exe" (normalized: "c:\\windows\\system32\\taskhost.exe") Region: id = 2395 start_va = 0x7fef4c10000 end_va = 0x7fef4c20fff entry_point = 0x7fef4c10000 region_type = mapped_file name = "msoxmlmf.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OFFICE14\\MSOXMLMF.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office14\\msoxmlmf.dll") Region: id = 2396 start_va = 0x7fef4c30000 end_va = 0x7fef4e21fff entry_point = 0x7fef4c30000 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 2397 start_va = 0x7fef4e30000 end_va = 0x7fef4eb4fff entry_point = 0x7fef4e30000 region_type = mapped_file name = "winsatapi.dll" filename = "\\Windows\\System32\\WinSATAPI.dll" (normalized: "c:\\windows\\system32\\winsatapi.dll") Region: id = 2398 start_va = 0x7fef4ec0000 end_va = 0x7fef4f90fff entry_point = 0x7fef4ec0000 region_type = mapped_file name = "sqlceqp30.dll" filename = "\\Windows\\System32\\sqlceqp30.dll" (normalized: "c:\\windows\\system32\\sqlceqp30.dll") Region: id = 2399 start_va = 0x7fef75a0000 end_va = 0x7fef75e1fff entry_point = 0x7fef75a0000 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 2400 start_va = 0x7fef7b80000 end_va = 0x7fef7b8ffff entry_point = 0x7fef7b80000 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 2401 start_va = 0x7fef7b90000 end_va = 0x7fef7ba1fff entry_point = 0x7fef7b90000 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 2402 start_va = 0x7fef8dc0000 end_va = 0x7fef8e33fff entry_point = 0x7fef8dc0000 region_type = mapped_file name = "sqlcese30.dll" filename = "\\Windows\\System32\\sqlcese30.dll" (normalized: "c:\\windows\\system32\\sqlcese30.dll") Region: id = 2403 start_va = 0x7fef8e40000 end_va = 0x7fef8e72fff entry_point = 0x7fef8e40000 region_type = mapped_file name = "sqlceoledb30.dll" filename = "\\Windows\\System32\\sqlceoledb30.dll" (normalized: "c:\\windows\\system32\\sqlceoledb30.dll") Region: id = 2404 start_va = 0x7fef8e80000 end_va = 0x7fef8ffffff entry_point = 0x7fef8e80000 region_type = mapped_file name = "racengn.dll" filename = "\\Windows\\System32\\RacEngn.dll" (normalized: "c:\\windows\\system32\\racengn.dll") Region: id = 2405 start_va = 0x7fefa970000 end_va = 0x7fefaa16fff entry_point = 0x7fefa970000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 2406 start_va = 0x7fefb3f0000 end_va = 0x7fefb516fff entry_point = 0x7fefb3f0000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 2407 start_va = 0x7fefbb70000 end_va = 0x7fefbba4fff entry_point = 0x7fefbb70000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 2408 start_va = 0x7fefbbb0000 end_va = 0x7fefbbc7fff entry_point = 0x7fefbbb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 2409 start_va = 0x7fefbd70000 end_va = 0x7fefbf84fff entry_point = 0x7fefbd70000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll") Region: id = 2410 start_va = 0x7fefc040000 end_va = 0x7fefc233fff entry_point = 0x7fefc040000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 2411 start_va = 0x7fefc540000 end_va = 0x7fefc66bfff entry_point = 0x7fefc540000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2412 start_va = 0x7fefc6c0000 end_va = 0x7fefc6ebfff entry_point = 0x7fefc6c0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2413 start_va = 0x7fefc7a0000 end_va = 0x7fefc7ccfff entry_point = 0x7fefc7a0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2414 start_va = 0x7fefc970000 end_va = 0x7fefc97bfff entry_point = 0x7fefc970000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2415 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2416 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2417 start_va = 0x7fefd2d0000 end_va = 0x7fefd33cfff entry_point = 0x7fefd2d0000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 2418 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2419 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2420 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2421 start_va = 0x7fefd7b0000 end_va = 0x7fefd7befff entry_point = 0x7fefd7b0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2422 start_va = 0x7fefd850000 end_va = 0x7fefd85efff entry_point = 0x7fefd850000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2423 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2424 start_va = 0x7fefd970000 end_va = 0x7fefd989fff entry_point = 0x7fefd970000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2425 start_va = 0x7fefd990000 end_va = 0x7fefdaf6fff entry_point = 0x7fefd990000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2426 start_va = 0x7fefdb00000 end_va = 0x7fefdb35fff entry_point = 0x7fefdb00000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2427 start_va = 0x7fefdb40000 end_va = 0x7fefdb79fff entry_point = 0x7fefdb40000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2428 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2429 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2430 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2431 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2432 start_va = 0x7fefdf00000 end_va = 0x7fefec87fff entry_point = 0x7fefdf00000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2433 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2434 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2435 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2436 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2437 start_va = 0x7feff300000 end_va = 0x7feff4d6fff entry_point = 0x7feff300000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2438 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2439 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2440 start_va = 0x7feff600000 end_va = 0x7feff651fff entry_point = 0x7feff600000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2441 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2442 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2443 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2444 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2445 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 2446 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 2447 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 2448 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 2449 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2450 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2451 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2452 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2453 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2454 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2455 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 2456 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 2457 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 266 os_tid = 0x408 Thread: id = 267 os_tid = 0x570 Thread: id = 268 os_tid = 0x40c Thread: id = 269 os_tid = 0x554 Thread: id = 270 os_tid = 0x558 Thread: id = 271 os_tid = 0x5d4 Thread: id = 272 os_tid = 0x138 Thread: id = 273 os_tid = 0x488 Thread: id = 274 os_tid = 0x470 Thread: id = 275 os_tid = 0x428 Thread: id = 314 os_tid = 0xa68 Thread: id = 407 os_tid = 0x594 Thread: id = 465 os_tid = 0x834 Process: id = "17" image_name = "ose.exe" filename = "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe" page_root = "0x4e445000" os_pid = "0x97c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x1d4" cmd_line = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE\"" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 739 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 740 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 741 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 742 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 743 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 744 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 745 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 746 start_va = 0x860000 end_va = 0x882fff entry_point = 0x860000 region_type = mapped_file name = "ose.exe" filename = "\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe") Region: id = 747 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 748 start_va = 0x77a40000 end_va = 0x77bbffff entry_point = 0x77a40000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 749 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 750 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 751 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 752 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 753 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 754 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 755 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 953 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 954 start_va = 0x74f80000 end_va = 0x74f87fff entry_point = 0x74f80000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 955 start_va = 0x74f90000 end_va = 0x74febfff entry_point = 0x74f90000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 956 start_va = 0x74ff0000 end_va = 0x7502efff entry_point = 0x74ff0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 957 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 958 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 959 start_va = 0x350000 end_va = 0x3b6fff entry_point = 0x350000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 960 start_va = 0x773b0000 end_va = 0x774bffff entry_point = 0x773b0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 961 start_va = 0x775f0000 end_va = 0x77635fff entry_point = 0x775f0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 962 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x0 region_type = private name = "private_0x0000000077640000" filename = "" Region: id = 963 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x0 region_type = private name = "private_0x0000000077740000" filename = "" Region: id = 964 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 965 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 977 start_va = 0x550000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 978 start_va = 0x751b0000 end_va = 0x7533ffff entry_point = 0x751b0000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 979 start_va = 0x75340000 end_va = 0x753c3fff entry_point = 0x75340000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 980 start_va = 0x753d0000 end_va = 0x75401fff entry_point = 0x753d0000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 981 start_va = 0x75410000 end_va = 0x7542bfff entry_point = 0x75410000 region_type = mapped_file name = "oledlg.dll" filename = "\\Windows\\SysWOW64\\oledlg.dll" (normalized: "c:\\windows\\syswow64\\oledlg.dll") Region: id = 982 start_va = 0x75430000 end_va = 0x75480fff entry_point = 0x75430000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\SysWOW64\\winspool.drv" (normalized: "c:\\windows\\syswow64\\winspool.drv") Region: id = 983 start_va = 0x75590000 end_va = 0x7559bfff entry_point = 0x75590000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 984 start_va = 0x755a0000 end_va = 0x755fffff entry_point = 0x755a0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 985 start_va = 0x75660000 end_va = 0x7570bfff entry_point = 0x75660000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 986 start_va = 0x75710000 end_va = 0x75719fff entry_point = 0x75710000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 987 start_va = 0x75a60000 end_va = 0x75a78fff entry_point = 0x75a60000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 988 start_va = 0x75a80000 end_va = 0x75b0ffff entry_point = 0x75a80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 989 start_va = 0x75b10000 end_va = 0x75bfffff entry_point = 0x75b10000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 990 start_va = 0x75cc0000 end_va = 0x76909fff entry_point = 0x75cc0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 991 start_va = 0x76e30000 end_va = 0x76f8bfff entry_point = 0x76e30000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 992 start_va = 0x76f90000 end_va = 0x7702ffff entry_point = 0x76f90000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 993 start_va = 0x771d0000 end_va = 0x772cffff entry_point = 0x771d0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 994 start_va = 0x77350000 end_va = 0x773a6fff entry_point = 0x77350000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 995 start_va = 0x77550000 end_va = 0x775ecfff entry_point = 0x77550000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 996 start_va = 0x3c0000 end_va = 0x547fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 997 start_va = 0x76b30000 end_va = 0x76bfbfff entry_point = 0x76b30000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 998 start_va = 0x76c00000 end_va = 0x76c5ffff entry_point = 0x76c00000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1190 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1191 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1192 start_va = 0x70000 end_va = 0x8bfff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1193 start_va = 0x560000 end_va = 0x6e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 1194 start_va = 0x6f0000 end_va = 0x7affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 1195 start_va = 0x940000 end_va = 0x94ffff entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 1196 start_va = 0xa00000 end_va = 0xa0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 1197 start_va = 0x7b0000 end_va = 0x7c1fff entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 1534 start_va = 0x7d0000 end_va = 0x7dffff entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 1535 start_va = 0xa10000 end_va = 0xadffff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 1655 start_va = 0xae0000 end_va = 0xbdffff entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 1656 start_va = 0xa80000 end_va = 0xabffff entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 1657 start_va = 0xad0000 end_va = 0xadffff entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 1658 start_va = 0xce0000 end_va = 0xddffff entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 1659 start_va = 0x75170000 end_va = 0x75185fff entry_point = 0x75170000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 1660 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 1661 start_va = 0x7e0000 end_va = 0x81bfff entry_point = 0x7e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1662 start_va = 0x7e0000 end_va = 0x81bfff entry_point = 0x7e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1663 start_va = 0x7e0000 end_va = 0x81bfff entry_point = 0x7e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1664 start_va = 0x7e0000 end_va = 0x81bfff entry_point = 0x7e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1665 start_va = 0x7e0000 end_va = 0x81bfff entry_point = 0x7e0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1666 start_va = 0x75130000 end_va = 0x7516afff entry_point = 0x75130000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1667 start_va = 0xde0000 end_va = 0x10aefff entry_point = 0xde0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1668 start_va = 0x75720000 end_va = 0x7583cfff entry_point = 0x75720000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 1669 start_va = 0x75c60000 end_va = 0x75c6bfff entry_point = 0x75c60000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 1670 start_va = 0x800000 end_va = 0x83ffff entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 1671 start_va = 0x9c0000 end_va = 0x9fffff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 1672 start_va = 0xc10000 end_va = 0xc4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 1673 start_va = 0x1110000 end_va = 0x120ffff entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 1674 start_va = 0x1310000 end_va = 0x140ffff entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 1675 start_va = 0x1420000 end_va = 0x151ffff entry_point = 0x0 region_type = private name = "private_0x0000000001420000" filename = "" Region: id = 1676 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 1677 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 1678 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 1691 start_va = 0x7e0000 end_va = 0x7e0fff entry_point = 0x0 region_type = private name = "private_0x00000000007e0000" filename = "" Region: id = 1692 start_va = 0x7e0000 end_va = 0x7e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1789 start_va = 0x7f0000 end_va = 0x7fffff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 1790 start_va = 0x840000 end_va = 0x847fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 1791 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1792 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1793 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1794 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1795 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1796 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1797 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1798 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1799 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1800 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1801 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1802 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1803 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1804 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1805 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1806 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1807 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1808 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1809 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1810 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1811 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1812 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1813 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1814 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1815 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1816 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1817 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1818 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1819 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1820 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1821 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1822 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1823 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1824 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1825 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1826 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1827 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1828 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1829 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1830 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1831 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1832 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1833 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1834 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1835 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1836 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1837 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1838 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1839 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1840 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1841 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1842 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1843 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1844 start_va = 0x77a10000 end_va = 0x77a14fff entry_point = 0x77a10000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 1845 start_va = 0x7f0000 end_va = 0x7fffff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 1846 start_va = 0x840000 end_va = 0x847fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 1847 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1848 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1849 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1850 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1851 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1852 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1853 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1854 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1855 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1856 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1857 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1858 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1859 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1860 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1861 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1862 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1863 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1864 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1865 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1866 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1867 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1868 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1869 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1870 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1871 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1872 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1873 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1874 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1875 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1876 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1877 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1878 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1879 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1880 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1881 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1882 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1883 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1884 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1885 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1886 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1887 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1888 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1889 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1890 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1891 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1892 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1893 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1894 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1895 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1896 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1897 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1898 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1899 start_va = 0x7f0000 end_va = 0x7f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1903 start_va = 0x7f0000 end_va = 0x7f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 1904 start_va = 0x75190000 end_va = 0x751a6fff entry_point = 0x75190000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 1951 start_va = 0x75120000 end_va = 0x7512afff entry_point = 0x75120000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2089 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2090 start_va = 0xc90000 end_va = 0xccffff entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 2091 start_va = 0x15b0000 end_va = 0x16affff entry_point = 0x0 region_type = private name = "private_0x00000000015b0000" filename = "" Region: id = 2092 start_va = 0x7efa7000 end_va = 0x7efa9fff entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 2093 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2094 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2095 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2096 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2097 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2098 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2099 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2100 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2101 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2102 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2103 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2104 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2105 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2106 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2107 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2108 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2109 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2110 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2319 start_va = 0x970000 end_va = 0x9affff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 2320 start_va = 0x17e0000 end_va = 0x18dffff entry_point = 0x0 region_type = private name = "private_0x00000000017e0000" filename = "" Region: id = 2321 start_va = 0x7efa4000 end_va = 0x7efa6fff entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Thread: id = 276 os_tid = 0x980 [0032.048] GetCurrentProcess () returned 0xffffffff [0032.048] GetTickCount () returned 0x174a2 [0032.048] GetCurrentThreadId () returned 0x980 [0032.048] GetCurrentThreadId () returned 0x980 [0032.048] GetCurrentProcess () returned 0xffffffff [0032.048] GetVersion () returned 0x1db10106 [0032.048] GetVersion () returned 0x1db10106 [0032.048] GetCurrentProcess () returned 0xffffffff [0032.048] GetCurrentProcess () returned 0xffffffff [0032.048] GetTickCount () returned 0x174a2 [0032.048] GetTickCount () returned 0x174a2 [0032.048] GetTickCount () returned 0x174a2 [0032.048] GetVersion () returned 0x1db10106 [0032.048] GetTickCount () returned 0x174a2 [0032.048] GetCurrentThreadId () returned 0x980 [0032.048] GetVersion () returned 0x1db10106 [0032.048] GetTickCount () returned 0x174a2 [0032.048] GetCurrentThreadId () returned 0x980 [0032.048] GetCurrentThreadId () returned 0x980 [0032.048] GetCurrentThreadId () returned 0x980 [0032.049] GetVersion () returned 0x1db10106 [0032.049] GetTickCount () returned 0x174a2 [0032.049] GetCurrentThreadId () returned 0x980 [0032.049] GetTickCount () returned 0x174a2 [0032.049] GetCurrentThreadId () returned 0x980 [0032.049] GetCurrentThreadId () returned 0x980 [0032.049] GetVersion () returned 0x1db10106 [0032.049] GetTickCount () returned 0x174a2 [0032.049] GetTickCount () returned 0x174a2 [0032.049] GetCurrentThreadId () returned 0x980 [0032.049] VirtualAlloc (lpAddress=0x0, dwSize=0x1c000, flAllocationType=0x1000, flProtect=0x40) returned 0x70000 [0032.250] VirtualAlloc (lpAddress=0x0, dwSize=0x11a00, flAllocationType=0x1000, flProtect=0x4) returned 0x7b0000 [0035.204] VirtualProtect (in: lpAddress=0x860000, dwSize=0x1c000, flNewProtect=0x40, lpflOldProtect=0x8a0b8 | out: lpflOldProtect=0x8a0b8*=0x2) returned 1 [0035.206] VirtualProtect (in: lpAddress=0x860000, dwSize=0x400, flNewProtect=0x2, lpflOldProtect=0x8a0b8 | out: lpflOldProtect=0x8a0b8*=0x40) returned 1 [0035.206] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x773b0000 [0035.207] GetProcAddress (hModule=0x773b0000, lpProcName="OutputDebugStringA") returned 0x773eb2b7 [0035.207] GetProcAddress (hModule=0x773b0000, lpProcName="HeapValidate") returned 0x773db17b [0035.217] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1cef14, nSize=0x1000 | out: lpFilename="C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe")) returned 0x44 [0035.218] GetVersionExW (in: lpVersionInformation=0x1cf5b4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1cf5b4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0035.218] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x1cf5a0 | out: Wow64Process=0x1cf5a0) returned 1 [0035.218] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x1cf57c | out: TokenHandle=0x1cf57c*=0xbc) returned 1 [0035.218] GetTokenInformation (in: TokenHandle=0xbc, TokenInformationClass=0x2, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cf578 | out: TokenInformation=0x0, ReturnLength=0x1cf578) returned 0 [0035.218] GetLastError () returned 0x7a [0035.218] GetTokenInformation (in: TokenHandle=0xbc, TokenInformationClass=0x2, TokenInformation=0xad1080, TokenInformationLength=0x58, ReturnLength=0x1cf578 | out: TokenInformation=0xad1080, ReturnLength=0x1cf578) returned 1 [0035.218] AllocateAndInitializeSid (in: pIdentifierAuthority=0x1cf588, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x1cf580 | out: pSid=0x1cf580*=0x2616b8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0035.218] EqualSid (pSid1=0x2616b8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xad10a4*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0035.218] NtClose (Handle=0xbc) returned 0x0 [0035.218] RtlQueryElevationFlags () returned 0x0 [0035.219] SHRegDuplicateHKey (hkey=0x80000002) returned 0x80000002 [0035.219] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x0, lpName=0xadb970, cchName=0x104 | out: lpName="BCD00000000") returned 0x0 [0035.219] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bcd00000000", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.219] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bcd00000000", cchWideChar=11, lpMultiByteStr=0xadbc80, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bcd00000000", lpUsedDefaultChar=0x0) returned 11 [0035.220] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x1, lpName=0xadb970, cchName=0x104 | out: lpName="HARDWARE") returned 0x0 [0035.220] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hardware", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.220] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hardware", cchWideChar=8, lpMultiByteStr=0xadbce0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hardware", lpUsedDefaultChar=0x0) returned 8 [0035.220] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x2, lpName=0xadb970, cchName=0x104 | out: lpName="SAM") returned 0x0 [0035.220] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sam", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.220] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sam", cchWideChar=3, lpMultiByteStr=0xadbd28, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sam", lpUsedDefaultChar=0x0) returned 3 [0035.220] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x3, lpName=0xadb970, cchName=0x104 | out: lpName="SECURITY") returned 0x0 [0035.220] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.220] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security", cchWideChar=8, lpMultiByteStr=0xadbce0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="security", lpUsedDefaultChar=0x0) returned 8 [0035.220] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x4, lpName=0xadb970, cchName=0x104 | out: lpName="SOFTWARE") returned 0x0 [0035.220] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.220] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0xadbd28, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="software", lpUsedDefaultChar=0x0) returned 8 [0035.221] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE", ulOptions=0x0, samDesired=0x20109, phkResult=0x1cf4fc | out: phkResult=0x1cf4fc*=0xbc) returned 0x0 [0035.221] RegCloseKey (hKey=0x80000002) returned 0x0 [0035.221] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x0, lpName=0xadb970, cchName=0x104 | out: lpName="ATI Technologies") returned 0x0 [0035.221] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ati technologies", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.221] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ati technologies", cchWideChar=16, lpMultiByteStr=0xadc160, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ati technologies", lpUsedDefaultChar=0x0) returned 16 [0035.221] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x1, lpName=0xadb970, cchName=0x104 | out: lpName="CBSTEST") returned 0x0 [0035.221] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cbstest", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.221] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cbstest", cchWideChar=7, lpMultiByteStr=0xadc1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cbstest", lpUsedDefaultChar=0x0) returned 7 [0035.221] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x2, lpName=0xadb970, cchName=0x104 | out: lpName="Classes") returned 0x0 [0035.221] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="classes", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.221] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="classes", cchWideChar=7, lpMultiByteStr=0xadc160, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="classes", lpUsedDefaultChar=0x0) returned 7 [0035.221] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x3, lpName=0xadb970, cchName=0x104 | out: lpName="Clients") returned 0x0 [0035.221] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clients", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.221] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clients", cchWideChar=7, lpMultiByteStr=0xadc1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clients", lpUsedDefaultChar=0x0) returned 7 [0035.222] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x4, lpName=0xadb970, cchName=0x104 | out: lpName="Intel") returned 0x0 [0035.222] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="intel", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.222] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="intel", cchWideChar=5, lpMultiByteStr=0xadc160, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="intel", lpUsedDefaultChar=0x0) returned 5 [0035.222] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x5, lpName=0xadb970, cchName=0x104 | out: lpName="Macromedia") returned 0x0 [0035.222] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="macromedia", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.222] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="macromedia", cchWideChar=10, lpMultiByteStr=0xadc1a8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="macromedia", lpUsedDefaultChar=0x0) returned 10 [0035.222] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x6, lpName=0xadb970, cchName=0x104 | out: lpName="Microsoft") returned 0x0 [0035.222] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.222] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft", cchWideChar=9, lpMultiByteStr=0xadc160, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft", lpUsedDefaultChar=0x0) returned 9 [0035.222] RegOpenKeyExW (in: hKey=0xbc, lpSubKey="Microsoft", ulOptions=0x0, samDesired=0x20109, phkResult=0x1cf4fc | out: phkResult=0x1cf4fc*=0x3c) returned 0x0 [0035.222] RegCloseKey (hKey=0xbc) returned 0x0 [0035.222] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x0, lpName=0xadb970, cchName=0x104 | out: lpName=".NETFramework") returned 0x0 [0035.222] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".netframework", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0035.222] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".netframework", cchWideChar=13, lpMultiByteStr=0xadc1a8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".netframework", lpUsedDefaultChar=0x0) returned 13 [0035.222] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1, lpName=0xadb970, cchName=0x104 | out: lpName="Active Setup") returned 0x0 [0035.223] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="active setup", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.223] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="active setup", cchWideChar=12, lpMultiByteStr=0xadc160, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="active setup", lpUsedDefaultChar=0x0) returned 12 [0035.223] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2, lpName=0xadb970, cchName=0x104 | out: lpName="ADs") returned 0x0 [0035.223] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ads", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.223] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ads", cchWideChar=3, lpMultiByteStr=0xadc1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ads", lpUsedDefaultChar=0x0) returned 3 [0035.223] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3, lpName=0xadb970, cchName=0x104 | out: lpName="Advanced INF Setup") returned 0x0 [0035.223] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="advanced inf setup", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0035.223] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="advanced inf setup", cchWideChar=18, lpMultiByteStr=0xadc160, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="advanced inf setup", lpUsedDefaultChar=0x0) returned 18 [0035.223] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4, lpName=0xadb970, cchName=0x104 | out: lpName="ALG") returned 0x0 [0035.223] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.223] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg", cchWideChar=3, lpMultiByteStr=0xadc1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="alg", lpUsedDefaultChar=0x0) returned 3 [0035.223] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5, lpName=0xadb970, cchName=0x104 | out: lpName="ASP.NET") returned 0x0 [0035.223] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="asp.net", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.223] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="asp.net", cchWideChar=7, lpMultiByteStr=0xadc160, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="asp.net", lpUsedDefaultChar=0x0) returned 7 [0035.223] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6, lpName=0xadb970, cchName=0x104 | out: lpName="Assistance") returned 0x0 [0035.224] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="assistance", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.224] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="assistance", cchWideChar=10, lpMultiByteStr=0xadc1a8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="assistance", lpUsedDefaultChar=0x0) returned 10 [0035.224] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7, lpName=0xadb970, cchName=0x104 | out: lpName="BidInterface") returned 0x0 [0035.224] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bidinterface", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.224] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bidinterface", cchWideChar=12, lpMultiByteStr=0xadc160, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bidinterface", lpUsedDefaultChar=0x0) returned 12 [0035.224] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x8, lpName=0xadb970, cchName=0x104 | out: lpName="COM3") returned 0x0 [0035.224] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="com3", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0035.224] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="com3", cchWideChar=4, lpMultiByteStr=0xadc1a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="com3", lpUsedDefaultChar=0x0) returned 4 [0035.224] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x9, lpName=0xadb970, cchName=0x104 | out: lpName="Command Processor") returned 0x0 [0035.224] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="command processor", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0035.224] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="command processor", cchWideChar=17, lpMultiByteStr=0xadc160, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="command processor", lpUsedDefaultChar=0x0) returned 17 [0035.224] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xa, lpName=0xadb970, cchName=0x104 | out: lpName="Connect to a Network Projector") returned 0x0 [0035.224] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connect to a network projector", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0035.224] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connect to a network projector", cchWideChar=30, lpMultiByteStr=0xadc1a8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="connect to a network projector", lpUsedDefaultChar=0x0) returned 30 [0035.224] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xb, lpName=0xadb970, cchName=0x104 | out: lpName="Cryptography") returned 0x0 [0035.224] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cryptography", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.225] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cryptography", cchWideChar=12, lpMultiByteStr=0xadc160, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cryptography", lpUsedDefaultChar=0x0) returned 12 [0035.225] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xc, lpName=0xadb970, cchName=0x104 | out: lpName="CTF") returned 0x0 [0035.225] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ctf", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.225] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ctf", cchWideChar=3, lpMultiByteStr=0xadc1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ctf", lpUsedDefaultChar=0x0) returned 3 [0035.225] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xd, lpName=0xadb970, cchName=0x104 | out: lpName="DataAccess") returned 0x0 [0035.225] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dataaccess", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.225] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dataaccess", cchWideChar=10, lpMultiByteStr=0xadc160, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dataaccess", lpUsedDefaultChar=0x0) returned 10 [0035.225] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xe, lpName=0xadb970, cchName=0x104 | out: lpName="DataFactory") returned 0x0 [0035.225] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="datafactory", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.225] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="datafactory", cchWideChar=11, lpMultiByteStr=0xadc1a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="datafactory", lpUsedDefaultChar=0x0) returned 11 [0035.225] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xf, lpName=0xadb970, cchName=0x104 | out: lpName="DevDiv") returned 0x0 [0035.225] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="devdiv", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.225] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="devdiv", cchWideChar=6, lpMultiByteStr=0xadc160, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="devdiv", lpUsedDefaultChar=0x0) returned 6 [0035.225] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x10, lpName=0xadb970, cchName=0x104 | out: lpName="Dfrg") returned 0x0 [0035.225] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfrg", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0035.225] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfrg", cchWideChar=4, lpMultiByteStr=0xadc1a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dfrg", lpUsedDefaultChar=0x0) returned 4 [0035.226] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x11, lpName=0xadb970, cchName=0x104 | out: lpName="DFS") returned 0x0 [0035.226] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfs", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.226] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfs", cchWideChar=3, lpMultiByteStr=0xadc160, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dfs", lpUsedDefaultChar=0x0) returned 3 [0035.226] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x12, lpName=0xadb970, cchName=0x104 | out: lpName="DirectDraw") returned 0x0 [0035.226] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directdraw", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.226] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directdraw", cchWideChar=10, lpMultiByteStr=0xadc1a8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directdraw", lpUsedDefaultChar=0x0) returned 10 [0035.226] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x13, lpName=0xadb970, cchName=0x104 | out: lpName="DirectInput") returned 0x0 [0035.226] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directinput", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.226] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directinput", cchWideChar=11, lpMultiByteStr=0xadc160, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directinput", lpUsedDefaultChar=0x0) returned 11 [0035.226] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x14, lpName=0xadb970, cchName=0x104 | out: lpName="DirectMusic") returned 0x0 [0035.226] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directmusic", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.226] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directmusic", cchWideChar=11, lpMultiByteStr=0xadc1a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directmusic", lpUsedDefaultChar=0x0) returned 11 [0035.226] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x15, lpName=0xadb970, cchName=0x104 | out: lpName="DirectPlay8") returned 0x0 [0035.226] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directplay8", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.226] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directplay8", cchWideChar=11, lpMultiByteStr=0xadc160, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directplay8", lpUsedDefaultChar=0x0) returned 11 [0035.227] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x16, lpName=0xadb970, cchName=0x104 | out: lpName="DirectPlayNATHelp") returned 0x0 [0035.227] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directplaynathelp", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0035.227] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directplaynathelp", cchWideChar=17, lpMultiByteStr=0xadc1a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directplaynathelp", lpUsedDefaultChar=0x0) returned 17 [0035.227] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x17, lpName=0xadb970, cchName=0x104 | out: lpName="DirectShow") returned 0x0 [0035.227] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directshow", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.227] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directshow", cchWideChar=10, lpMultiByteStr=0xadc160, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directshow", lpUsedDefaultChar=0x0) returned 10 [0035.227] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x18, lpName=0xadb970, cchName=0x104 | out: lpName="DirectX") returned 0x0 [0035.227] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directx", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.227] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directx", cchWideChar=7, lpMultiByteStr=0xadc1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directx", lpUsedDefaultChar=0x0) returned 7 [0035.227] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x19, lpName=0xadb970, cchName=0x104 | out: lpName="Driver Signing") returned 0x0 [0035.227] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="driver signing", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.227] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="driver signing", cchWideChar=14, lpMultiByteStr=0xadc160, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="driver signing", lpUsedDefaultChar=0x0) returned 14 [0035.227] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1a, lpName=0xadb970, cchName=0x104 | out: lpName="DRM") returned 0x0 [0035.227] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="drm", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.227] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="drm", cchWideChar=3, lpMultiByteStr=0xadc1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="drm", lpUsedDefaultChar=0x0) returned 3 [0035.228] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1b, lpName=0xadb970, cchName=0x104 | out: lpName="DVR") returned 0x0 [0035.228] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dvr", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.228] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dvr", cchWideChar=3, lpMultiByteStr=0xadc160, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dvr", lpUsedDefaultChar=0x0) returned 3 [0035.228] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1c, lpName=0xadb970, cchName=0x104 | out: lpName="DXP") returned 0x0 [0035.228] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dxp", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.228] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dxp", cchWideChar=3, lpMultiByteStr=0xadc1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dxp", lpUsedDefaultChar=0x0) returned 3 [0035.228] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1d, lpName=0xadb970, cchName=0x104 | out: lpName="EnterpriseCertificates") returned 0x0 [0035.228] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="enterprisecertificates", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0035.228] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="enterprisecertificates", cchWideChar=22, lpMultiByteStr=0xadc160, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="enterprisecertificates", lpUsedDefaultChar=0x0) returned 22 [0035.228] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1e, lpName=0xadb970, cchName=0x104 | out: lpName="EventSystem") returned 0x0 [0035.228] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventsystem", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.228] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventsystem", cchWideChar=11, lpMultiByteStr=0xadc1a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eventsystem", lpUsedDefaultChar=0x0) returned 11 [0035.228] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1f, lpName=0xadb970, cchName=0x104 | out: lpName="Exchange") returned 0x0 [0035.228] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="exchange", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.228] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="exchange", cchWideChar=8, lpMultiByteStr=0xadc160, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="exchange", lpUsedDefaultChar=0x0) returned 8 [0035.229] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x20, lpName=0xadb970, cchName=0x104 | out: lpName="Fax") returned 0x0 [0035.229] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fax", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.229] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fax", cchWideChar=3, lpMultiByteStr=0xadc1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fax", lpUsedDefaultChar=0x0) returned 3 [0035.229] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x21, lpName=0xadb970, cchName=0x104 | out: lpName="Feeds") returned 0x0 [0035.229] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="feeds", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.229] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="feeds", cchWideChar=5, lpMultiByteStr=0xadc160, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="feeds", lpUsedDefaultChar=0x0) returned 5 [0035.229] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x22, lpName=0xadb970, cchName=0x104 | out: lpName="FlashConfig") returned 0x0 [0035.229] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="flashconfig", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.229] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="flashconfig", cchWideChar=11, lpMultiByteStr=0xadc1a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="flashconfig", lpUsedDefaultChar=0x0) returned 11 [0035.229] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x23, lpName=0xadb970, cchName=0x104 | out: lpName="FTH") returned 0x0 [0035.229] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fth", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.229] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fth", cchWideChar=3, lpMultiByteStr=0xadc160, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fth", lpUsedDefaultChar=0x0) returned 3 [0035.229] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x24, lpName=0xadb970, cchName=0x104 | out: lpName="Function Discovery") returned 0x0 [0035.229] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="function discovery", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0035.229] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="function discovery", cchWideChar=18, lpMultiByteStr=0xadc1a8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="function discovery", lpUsedDefaultChar=0x0) returned 18 [0035.230] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x25, lpName=0xadb970, cchName=0x104 | out: lpName="Fusion") returned 0x0 [0035.230] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fusion", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.230] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fusion", cchWideChar=6, lpMultiByteStr=0xadc160, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fusion", lpUsedDefaultChar=0x0) returned 6 [0035.230] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x26, lpName=0xadb970, cchName=0x104 | out: lpName="GPUPipeline") returned 0x0 [0035.230] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gpupipeline", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.230] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gpupipeline", cchWideChar=11, lpMultiByteStr=0xadc1a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gpupipeline", lpUsedDefaultChar=0x0) returned 11 [0035.230] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x27, lpName=0xadb970, cchName=0x104 | out: lpName="HTMLHelp") returned 0x0 [0035.230] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="htmlhelp", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.230] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="htmlhelp", cchWideChar=8, lpMultiByteStr=0xadc160, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="htmlhelp", lpUsedDefaultChar=0x0) returned 8 [0035.230] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x28, lpName=0xadb970, cchName=0x104 | out: lpName="IdentityCRL") returned 0x0 [0035.230] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identitycrl", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.230] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identitycrl", cchWideChar=11, lpMultiByteStr=0xadc1a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="identitycrl", lpUsedDefaultChar=0x0) returned 11 [0035.230] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x29, lpName=0xadb970, cchName=0x104 | out: lpName="IdentityStore") returned 0x0 [0035.230] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identitystore", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0035.230] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identitystore", cchWideChar=13, lpMultiByteStr=0xadc160, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="identitystore", lpUsedDefaultChar=0x0) returned 13 [0035.230] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2a, lpName=0xadb970, cchName=0x104 | out: lpName="IMAPI") returned 0x0 [0035.231] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imapi", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.231] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imapi", cchWideChar=5, lpMultiByteStr=0xadc1a8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imapi", lpUsedDefaultChar=0x0) returned 5 [0035.231] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2b, lpName=0xadb970, cchName=0x104 | out: lpName="IMEJP") returned 0x0 [0035.231] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imejp", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.231] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imejp", cchWideChar=5, lpMultiByteStr=0xadc160, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imejp", lpUsedDefaultChar=0x0) returned 5 [0035.231] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2c, lpName=0xadb970, cchName=0x104 | out: lpName="IMEKR") returned 0x0 [0035.231] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imekr", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.231] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imekr", cchWideChar=5, lpMultiByteStr=0xadc1a8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imekr", lpUsedDefaultChar=0x0) returned 5 [0035.231] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2d, lpName=0xadb970, cchName=0x104 | out: lpName="IMETC") returned 0x0 [0035.231] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imetc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.231] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imetc", cchWideChar=5, lpMultiByteStr=0xadc160, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imetc", lpUsedDefaultChar=0x0) returned 5 [0035.231] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2e, lpName=0xadb970, cchName=0x104 | out: lpName="Internet Account Manager") returned 0x0 [0035.231] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet account manager", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0035.231] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet account manager", cchWideChar=24, lpMultiByteStr=0xadc1a8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet account manager", lpUsedDefaultChar=0x0) returned 24 [0035.231] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2f, lpName=0xadb970, cchName=0x104 | out: lpName="Internet Domains") returned 0x0 [0035.232] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet domains", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.232] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet domains", cchWideChar=16, lpMultiByteStr=0xadc160, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet domains", lpUsedDefaultChar=0x0) returned 16 [0035.232] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x30, lpName=0xadb970, cchName=0x104 | out: lpName="Internet Explorer") returned 0x0 [0035.232] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet explorer", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0035.232] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet explorer", cchWideChar=17, lpMultiByteStr=0xadc1a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet explorer", lpUsedDefaultChar=0x0) returned 17 [0035.232] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x31, lpName=0xadb970, cchName=0x104 | out: lpName="IsoBurn") returned 0x0 [0035.232] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="isoburn", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.232] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="isoburn", cchWideChar=7, lpMultiByteStr=0xadc160, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isoburn", lpUsedDefaultChar=0x0) returned 7 [0035.247] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x32, lpName=0xadb970, cchName=0x104 | out: lpName="Loki") returned 0x0 [0035.247] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="loki", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0035.247] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="loki", cchWideChar=4, lpMultiByteStr=0xadc1a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="loki", lpUsedDefaultChar=0x0) returned 4 [0035.247] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x33, lpName=0xadb970, cchName=0x104 | out: lpName="MediaCenterPeripheral") returned 0x0 [0035.247] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mediacenterperipheral", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0035.248] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mediacenterperipheral", cchWideChar=21, lpMultiByteStr=0xadc160, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mediacenterperipheral", lpUsedDefaultChar=0x0) returned 21 [0035.248] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x34, lpName=0xadb970, cchName=0x104 | out: lpName="MediaPlayer") returned 0x0 [0035.248] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mediaplayer", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.248] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mediaplayer", cchWideChar=11, lpMultiByteStr=0xadc1a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mediaplayer", lpUsedDefaultChar=0x0) returned 11 [0035.248] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x35, lpName=0xadb970, cchName=0x104 | out: lpName="MessengerService") returned 0x0 [0035.248] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="messengerservice", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.248] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="messengerservice", cchWideChar=16, lpMultiByteStr=0xadc160, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="messengerservice", lpUsedDefaultChar=0x0) returned 16 [0035.248] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x36, lpName=0xadb970, cchName=0x104 | out: lpName="Microsoft Reference") returned 0x0 [0035.248] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft reference", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0035.248] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft reference", cchWideChar=19, lpMultiByteStr=0xadc1a8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft reference", lpUsedDefaultChar=0x0) returned 19 [0035.248] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x37, lpName=0xadb970, cchName=0x104 | out: lpName="Microsoft SQL Server Compact Edition") returned 0x0 [0035.248] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft sql server compact edition", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0035.248] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft sql server compact edition", cchWideChar=36, lpMultiByteStr=0xadc160, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft sql server compact edition", lpUsedDefaultChar=0x0) returned 36 [0035.248] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x38, lpName=0xadb970, cchName=0x104 | out: lpName="MigWiz") returned 0x0 [0035.248] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="migwiz", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.248] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="migwiz", cchWideChar=6, lpMultiByteStr=0xadc1a8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="migwiz", lpUsedDefaultChar=0x0) returned 6 [0035.248] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x39, lpName=0xadb970, cchName=0x104 | out: lpName="MMC") returned 0x0 [0035.248] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmc", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.248] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmc", cchWideChar=3, lpMultiByteStr=0xadc160, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mmc", lpUsedDefaultChar=0x0) returned 3 [0035.248] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3a, lpName=0xadb970, cchName=0x104 | out: lpName="Mobile") returned 0x0 [0035.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mobile", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mobile", cchWideChar=6, lpMultiByteStr=0xadc1a8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mobile", lpUsedDefaultChar=0x0) returned 6 [0035.249] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3b, lpName=0xadb970, cchName=0x104 | out: lpName="MSBuild") returned 0x0 [0035.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msbuild", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msbuild", cchWideChar=7, lpMultiByteStr=0xadc160, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msbuild", lpUsedDefaultChar=0x0) returned 7 [0035.249] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3c, lpName=0xadb970, cchName=0x104 | out: lpName="MSDE") returned 0x0 [0035.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msde", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0035.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msde", cchWideChar=4, lpMultiByteStr=0xadc1a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msde", lpUsedDefaultChar=0x0) returned 4 [0035.249] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3d, lpName=0xadb970, cchName=0x104 | out: lpName="MSDTC") returned 0x0 [0035.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc", cchWideChar=5, lpMultiByteStr=0xadc160, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdtc", lpUsedDefaultChar=0x0) returned 5 [0035.249] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3e, lpName=0xadb970, cchName=0x104 | out: lpName="MSF") returned 0x0 [0035.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msf", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msf", cchWideChar=3, lpMultiByteStr=0xadc1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msf", lpUsedDefaultChar=0x0) returned 3 [0035.249] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3f, lpName=0xadb970, cchName=0x104 | out: lpName="MSLicensing") returned 0x0 [0035.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mslicensing", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mslicensing", cchWideChar=11, lpMultiByteStr=0xadc160, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mslicensing", lpUsedDefaultChar=0x0) returned 11 [0035.249] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x40, lpName=0xadb970, cchName=0x104 | out: lpName="MSMQ") returned 0x0 [0035.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msmq", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0035.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msmq", cchWideChar=4, lpMultiByteStr=0xadc1a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msmq", lpUsedDefaultChar=0x0) returned 4 [0035.249] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x41, lpName=0xadb970, cchName=0x104 | out: lpName="MSN Apps") returned 0x0 [0035.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msn apps", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msn apps", cchWideChar=8, lpMultiByteStr=0xadc160, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msn apps", lpUsedDefaultChar=0x0) returned 8 [0035.249] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x42, lpName=0xadb970, cchName=0x104 | out: lpName="MSOSOAP") returned 0x0 [0035.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msosoap", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msosoap", cchWideChar=7, lpMultiByteStr=0xadc1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msosoap", lpUsedDefaultChar=0x0) returned 7 [0035.250] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x43, lpName=0xadb970, cchName=0x104 | out: lpName="MSSearch36") returned 0x0 [0035.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssearch36", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssearch36", cchWideChar=10, lpMultiByteStr=0xadc160, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mssearch36", lpUsedDefaultChar=0x0) returned 10 [0035.250] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x44, lpName=0xadb970, cchName=0x104 | out: lpName="MSSQLServer") returned 0x0 [0035.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssqlserver", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssqlserver", cchWideChar=11, lpMultiByteStr=0xadc1a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mssqlserver", lpUsedDefaultChar=0x0) returned 11 [0035.250] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x45, lpName=0xadb970, cchName=0x104 | out: lpName="Multimedia") returned 0x0 [0035.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="multimedia", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="multimedia", cchWideChar=10, lpMultiByteStr=0xadc160, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="multimedia", lpUsedDefaultChar=0x0) returned 10 [0035.250] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x46, lpName=0xadb970, cchName=0x104 | out: lpName="NapServer") returned 0x0 [0035.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="napserver", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="napserver", cchWideChar=9, lpMultiByteStr=0xadc1a8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="napserver", lpUsedDefaultChar=0x0) returned 9 [0035.250] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x47, lpName=0xadb970, cchName=0x104 | out: lpName="NET Framework Setup") returned 0x0 [0035.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="net framework setup", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0035.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="net framework setup", cchWideChar=19, lpMultiByteStr=0xadc160, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="net framework setup", lpUsedDefaultChar=0x0) returned 19 [0035.250] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x48, lpName=0xadb970, cchName=0x104 | out: lpName="NetSh") returned 0x0 [0035.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netsh", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netsh", cchWideChar=5, lpMultiByteStr=0xadc1a8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netsh", lpUsedDefaultChar=0x0) returned 5 [0035.250] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x49, lpName=0xadb970, cchName=0x104 | out: lpName="Network") returned 0x0 [0035.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="network", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="network", cchWideChar=7, lpMultiByteStr=0xadc160, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="network", lpUsedDefaultChar=0x0) returned 7 [0035.250] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4a, lpName=0xadb970, cchName=0x104 | out: lpName="NetworkAccessProtection") returned 0x0 [0035.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="networkaccessprotection", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0035.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="networkaccessprotection", cchWideChar=23, lpMultiByteStr=0xadc1a8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="networkaccessprotection", lpUsedDefaultChar=0x0) returned 23 [0035.251] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4b, lpName=0xadb970, cchName=0x104 | out: lpName="Non-Driver Signing") returned 0x0 [0035.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="non-driver signing", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0035.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="non-driver signing", cchWideChar=18, lpMultiByteStr=0xadc160, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="non-driver signing", lpUsedDefaultChar=0x0) returned 18 [0035.251] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4c, lpName=0xadb970, cchName=0x104 | out: lpName="Notepad") returned 0x0 [0035.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="notepad", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="notepad", cchWideChar=7, lpMultiByteStr=0xadc1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="notepad", lpUsedDefaultChar=0x0) returned 7 [0035.251] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4d, lpName=0xadb970, cchName=0x104 | out: lpName="ODBC") returned 0x0 [0035.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="odbc", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0035.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="odbc", cchWideChar=4, lpMultiByteStr=0xadc160, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="odbc", lpUsedDefaultChar=0x0) returned 4 [0035.251] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4e, lpName=0xadb970, cchName=0x104 | out: lpName="Office") returned 0x0 [0035.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="office", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="office", cchWideChar=6, lpMultiByteStr=0xadc1a8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="office", lpUsedDefaultChar=0x0) returned 6 [0035.251] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4f, lpName=0xadb970, cchName=0x104 | out: lpName="OfficeSoftwareProtectionPlatform") returned 0x0 [0035.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="officesoftwareprotectionplatform", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0035.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="officesoftwareprotectionplatform", cchWideChar=32, lpMultiByteStr=0xadc160, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="officesoftwareprotectionplatform", lpUsedDefaultChar=0x0) returned 32 [0035.251] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x50, lpName=0xadb970, cchName=0x104 | out: lpName="Ole") returned 0x0 [0035.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ole", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ole", cchWideChar=3, lpMultiByteStr=0xadc1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ole", lpUsedDefaultChar=0x0) returned 3 [0035.251] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x51, lpName=0xadb970, cchName=0x104 | out: lpName="Outlook Express") returned 0x0 [0035.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="outlook express", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="outlook express", cchWideChar=15, lpMultiByteStr=0xadc160, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="outlook express", lpUsedDefaultChar=0x0) returned 15 [0035.251] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x52, lpName=0xadb970, cchName=0x104 | out: lpName="PLA") returned 0x0 [0035.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pla", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pla", cchWideChar=3, lpMultiByteStr=0xadc1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pla", lpUsedDefaultChar=0x0) returned 3 [0035.251] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x53, lpName=0xadb970, cchName=0x104 | out: lpName="PowerShell") returned 0x0 [0035.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="powershell", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="powershell", cchWideChar=10, lpMultiByteStr=0xadc160, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="powershell", lpUsedDefaultChar=0x0) returned 10 [0035.252] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x54, lpName=0xadb970, cchName=0x104 | out: lpName="Print") returned 0x0 [0035.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="print", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="print", cchWideChar=5, lpMultiByteStr=0xadc1a8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="print", lpUsedDefaultChar=0x0) returned 5 [0035.252] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x55, lpName=0xadb970, cchName=0x104 | out: lpName="RADAR") returned 0x0 [0035.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="radar", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="radar", cchWideChar=5, lpMultiByteStr=0xadc160, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="radar", lpUsedDefaultChar=0x0) returned 5 [0035.252] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x56, lpName=0xadb970, cchName=0x104 | out: lpName="Ras") returned 0x0 [0035.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ras", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ras", cchWideChar=3, lpMultiByteStr=0xadc1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ras", lpUsedDefaultChar=0x0) returned 3 [0035.252] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x57, lpName=0xadb970, cchName=0x104 | out: lpName="RAS AutoDial") returned 0x0 [0035.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ras autodial", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ras autodial", cchWideChar=12, lpMultiByteStr=0xadc160, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ras autodial", lpUsedDefaultChar=0x0) returned 12 [0035.252] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x58, lpName=0xadb970, cchName=0x104 | out: lpName="Reliability Analysis") returned 0x0 [0035.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="reliability analysis", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0035.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="reliability analysis", cchWideChar=20, lpMultiByteStr=0xadc1a8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="reliability analysis", lpUsedDefaultChar=0x0) returned 20 [0035.252] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x59, lpName=0xadb970, cchName=0x104 | out: lpName="RemovalTools") returned 0x0 [0035.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="removaltools", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="removaltools", cchWideChar=12, lpMultiByteStr=0xadc160, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="removaltools", lpUsedDefaultChar=0x0) returned 12 [0035.252] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5a, lpName=0xadb970, cchName=0x104 | out: lpName="RendezvousApps") returned 0x0 [0035.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rendezvousapps", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rendezvousapps", cchWideChar=14, lpMultiByteStr=0xadc1a8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rendezvousapps", lpUsedDefaultChar=0x0) returned 14 [0035.252] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5b, lpName=0xadb970, cchName=0x104 | out: lpName="Router") returned 0x0 [0035.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="router", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="router", cchWideChar=6, lpMultiByteStr=0xadc160, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="router", lpUsedDefaultChar=0x0) returned 6 [0035.253] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5c, lpName=0xadb970, cchName=0x104 | out: lpName="Rpc") returned 0x0 [0035.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpc", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpc", cchWideChar=3, lpMultiByteStr=0xadc1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rpc", lpUsedDefaultChar=0x0) returned 3 [0035.253] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5d, lpName=0xadb970, cchName=0x104 | out: lpName="SchedulingAgent") returned 0x0 [0035.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="schedulingagent", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="schedulingagent", cchWideChar=15, lpMultiByteStr=0xadc160, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="schedulingagent", lpUsedDefaultChar=0x0) returned 15 [0035.253] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5e, lpName=0xadb970, cchName=0x104 | out: lpName="Schema Library") returned 0x0 [0035.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="schema library", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="schema library", cchWideChar=14, lpMultiByteStr=0xadc1a8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="schema library", lpUsedDefaultChar=0x0) returned 14 [0035.253] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5f, lpName=0xadb970, cchName=0x104 | out: lpName="Security Center") returned 0x0 [0035.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security center", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security center", cchWideChar=15, lpMultiByteStr=0xadc160, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="security center", lpUsedDefaultChar=0x0) returned 15 [0035.253] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x60, lpName=0xadb970, cchName=0x104 | out: lpName="Sensors") returned 0x0 [0035.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sensors", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sensors", cchWideChar=7, lpMultiByteStr=0xadc1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sensors", lpUsedDefaultChar=0x0) returned 7 [0035.253] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x61, lpName=0xadb970, cchName=0x104 | out: lpName="Shared") returned 0x0 [0035.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared", cchWideChar=6, lpMultiByteStr=0xadc160, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="shared", lpUsedDefaultChar=0x0) returned 6 [0035.253] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x62, lpName=0xadb970, cchName=0x104 | out: lpName="Shared Tools") returned 0x0 [0035.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared tools", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared tools", cchWideChar=12, lpMultiByteStr=0xadc1a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="shared tools", lpUsedDefaultChar=0x0) returned 12 [0035.253] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x63, lpName=0xadb970, cchName=0x104 | out: lpName="Shared Tools Location") returned 0x0 [0035.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared tools location", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0035.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shared tools location", cchWideChar=21, lpMultiByteStr=0xadc160, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="shared tools location", lpUsedDefaultChar=0x0) returned 21 [0035.254] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x64, lpName=0xadb970, cchName=0x104 | out: lpName="SideShow") returned 0x0 [0035.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sideshow", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sideshow", cchWideChar=8, lpMultiByteStr=0xadc1a8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sideshow", lpUsedDefaultChar=0x0) returned 8 [0035.254] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x65, lpName=0xadb970, cchName=0x104 | out: lpName="SnippingTool") returned 0x0 [0035.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="snippingtool", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="snippingtool", cchWideChar=12, lpMultiByteStr=0xadc160, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="snippingtool", lpUsedDefaultChar=0x0) returned 12 [0035.254] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x66, lpName=0xadb970, cchName=0x104 | out: lpName="Software") returned 0x0 [0035.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0xadc1a8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="software", lpUsedDefaultChar=0x0) returned 8 [0035.254] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x67, lpName=0xadb970, cchName=0x104 | out: lpName="Speech") returned 0x0 [0035.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="speech", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="speech", cchWideChar=6, lpMultiByteStr=0xadc160, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="speech", lpUsedDefaultChar=0x0) returned 6 [0035.254] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x68, lpName=0xadb970, cchName=0x104 | out: lpName="SQMClient") returned 0x0 [0035.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sqmclient", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sqmclient", cchWideChar=9, lpMultiByteStr=0xadc1a8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sqmclient", lpUsedDefaultChar=0x0) returned 9 [0035.254] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x69, lpName=0xadb970, cchName=0x104 | out: lpName="Sync Framework") returned 0x0 [0035.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sync framework", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sync framework", cchWideChar=14, lpMultiByteStr=0xadc160, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sync framework", lpUsedDefaultChar=0x0) returned 14 [0035.254] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6a, lpName=0xadb970, cchName=0x104 | out: lpName="Sysprep") returned 0x0 [0035.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sysprep", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sysprep", cchWideChar=7, lpMultiByteStr=0xadc1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sysprep", lpUsedDefaultChar=0x0) returned 7 [0035.254] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6b, lpName=0xadb970, cchName=0x104 | out: lpName="SystemCertificates") returned 0x0 [0035.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="systemcertificates", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0035.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="systemcertificates", cchWideChar=18, lpMultiByteStr=0xadc160, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="systemcertificates", lpUsedDefaultChar=0x0) returned 18 [0035.254] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6c, lpName=0xadb970, cchName=0x104 | out: lpName="TableTextService") returned 0x0 [0035.255] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tabletextservice", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.255] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tabletextservice", cchWideChar=16, lpMultiByteStr=0xadc1a8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tabletextservice", lpUsedDefaultChar=0x0) returned 16 [0035.255] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6d, lpName=0xadb970, cchName=0x104 | out: lpName="TabletTip") returned 0x0 [0035.255] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tablettip", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.255] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tablettip", cchWideChar=9, lpMultiByteStr=0xadc160, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tablettip", lpUsedDefaultChar=0x0) returned 9 [0035.255] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6e, lpName=0xadb970, cchName=0x104 | out: lpName="Tcpip") returned 0x0 [0035.255] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tcpip", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.255] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tcpip", cchWideChar=5, lpMultiByteStr=0xadc1a8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tcpip", lpUsedDefaultChar=0x0) returned 5 [0035.255] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6f, lpName=0xadb970, cchName=0x104 | out: lpName="Terminal Server Client") returned 0x0 [0035.255] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="terminal server client", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0035.255] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="terminal server client", cchWideChar=22, lpMultiByteStr=0xadc160, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="terminal server client", lpUsedDefaultChar=0x0) returned 22 [0035.255] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x70, lpName=0xadb970, cchName=0x104 | out: lpName="TermServLicensing") returned 0x0 [0035.255] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="termservlicensing", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0035.255] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="termservlicensing", cchWideChar=17, lpMultiByteStr=0xadc1a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="termservlicensing", lpUsedDefaultChar=0x0) returned 17 [0035.255] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x71, lpName=0xadb970, cchName=0x104 | out: lpName="TIP Shared") returned 0x0 [0035.255] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tip shared", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.255] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tip shared", cchWideChar=10, lpMultiByteStr=0xadc160, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tip shared", lpUsedDefaultChar=0x0) returned 10 [0035.255] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x72, lpName=0xadb970, cchName=0x104 | out: lpName="TPG") returned 0x0 [0035.255] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tpg", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.255] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tpg", cchWideChar=3, lpMultiByteStr=0xadc1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tpg", lpUsedDefaultChar=0x0) returned 3 [0035.255] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x73, lpName=0xadb970, cchName=0x104 | out: lpName="Tpm") returned 0x0 [0035.255] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tpm", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.255] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tpm", cchWideChar=3, lpMultiByteStr=0xadc160, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tpm", lpUsedDefaultChar=0x0) returned 3 [0035.255] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x74, lpName=0xadb970, cchName=0x104 | out: lpName="Tracing") returned 0x0 [0035.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tracing", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tracing", cchWideChar=7, lpMultiByteStr=0xadc1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tracing", lpUsedDefaultChar=0x0) returned 7 [0035.256] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x75, lpName=0xadb970, cchName=0x104 | out: lpName="Transaction Server") returned 0x0 [0035.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="transaction server", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0035.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="transaction server", cchWideChar=18, lpMultiByteStr=0xadc160, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="transaction server", lpUsedDefaultChar=0x0) returned 18 [0035.256] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x76, lpName=0xadb970, cchName=0x104 | out: lpName="TV System Services") returned 0x0 [0035.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tv system services", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0035.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tv system services", cchWideChar=18, lpMultiByteStr=0xadc1a8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tv system services", lpUsedDefaultChar=0x0) returned 18 [0035.256] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x77, lpName=0xadb970, cchName=0x104 | out: lpName="uDRM") returned 0x0 [0035.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="udrm", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0035.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="udrm", cchWideChar=4, lpMultiByteStr=0xadc160, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="udrm", lpUsedDefaultChar=0x0) returned 4 [0035.256] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x78, lpName=0xadb970, cchName=0x104 | out: lpName="Updates") returned 0x0 [0035.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="updates", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="updates", cchWideChar=7, lpMultiByteStr=0xadc1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="updates", lpUsedDefaultChar=0x0) returned 7 [0035.256] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x79, lpName=0xadb970, cchName=0x104 | out: lpName="UPnP Device Host") returned 0x0 [0035.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="upnp device host", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="upnp device host", cchWideChar=16, lpMultiByteStr=0xadc160, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="upnp device host", lpUsedDefaultChar=0x0) returned 16 [0035.256] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7a, lpName=0xadb970, cchName=0x104 | out: lpName="VBA") returned 0x0 [0035.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vba", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vba", cchWideChar=3, lpMultiByteStr=0xadc1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vba", lpUsedDefaultChar=0x0) returned 3 [0035.256] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7b, lpName=0xadb970, cchName=0x104 | out: lpName="Virtual Machine") returned 0x0 [0035.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="virtual machine", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="virtual machine", cchWideChar=15, lpMultiByteStr=0xadc160, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="virtual machine", lpUsedDefaultChar=0x0) returned 15 [0035.256] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7c, lpName=0xadb970, cchName=0x104 | out: lpName="VisualStudio") returned 0x0 [0035.256] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="visualstudio", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="visualstudio", cchWideChar=12, lpMultiByteStr=0xadc1a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="visualstudio", lpUsedDefaultChar=0x0) returned 12 [0035.257] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7d, lpName=0xadb970, cchName=0x104 | out: lpName="WAB") returned 0x0 [0035.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wab", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wab", cchWideChar=3, lpMultiByteStr=0xadc160, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wab", lpUsedDefaultChar=0x0) returned 3 [0035.257] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7e, lpName=0xadb970, cchName=0x104 | out: lpName="WBEM") returned 0x0 [0035.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wbem", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0035.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wbem", cchWideChar=4, lpMultiByteStr=0xadc1a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wbem", lpUsedDefaultChar=0x0) returned 4 [0035.257] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7f, lpName=0xadb970, cchName=0x104 | out: lpName="WIMMount") returned 0x0 [0035.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wimmount", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wimmount", cchWideChar=8, lpMultiByteStr=0xadc160, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wimmount", lpUsedDefaultChar=0x0) returned 8 [0035.257] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x80, lpName=0xadb970, cchName=0x104 | out: lpName="Windows") returned 0x0 [0035.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="windows", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="windows", cchWideChar=7, lpMultiByteStr=0xadc1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="windows", lpUsedDefaultChar=0x0) returned 7 [0035.257] RegOpenKeyExW (in: hKey=0x3c, lpSubKey="Windows", ulOptions=0x0, samDesired=0x20109, phkResult=0x1cf4fc | out: phkResult=0x1cf4fc*=0xbc) returned 0x0 [0035.257] RegCloseKey (hKey=0x3c) returned 0x0 [0035.257] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x0, lpName=0xadb970, cchName=0x104 | out: lpName="CurrentVersion") returned 0x0 [0035.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="currentversion", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="currentversion", cchWideChar=14, lpMultiByteStr=0xadc160, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="currentversion", lpUsedDefaultChar=0x0) returned 14 [0035.257] RegOpenKeyExW (in: hKey=0xbc, lpSubKey="CurrentVersion", ulOptions=0x0, samDesired=0x20109, phkResult=0x1cf4fc | out: phkResult=0x1cf4fc*=0x3c) returned 0x0 [0035.257] RegCloseKey (hKey=0xbc) returned 0x0 [0035.257] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x0, lpName=0xadb970, cchName=0x104 | out: lpName="App Management") returned 0x0 [0035.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="app management", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.257] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="app management", cchWideChar=14, lpMultiByteStr=0xadc1a8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="app management", lpUsedDefaultChar=0x0) returned 14 [0035.258] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1, lpName=0xadb970, cchName=0x104 | out: lpName="App Paths") returned 0x0 [0035.258] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="app paths", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.258] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="app paths", cchWideChar=9, lpMultiByteStr=0xadc160, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="app paths", lpUsedDefaultChar=0x0) returned 9 [0035.258] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2, lpName=0xadb970, cchName=0x104 | out: lpName="Applets") returned 0x0 [0035.258] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="applets", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.258] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="applets", cchWideChar=7, lpMultiByteStr=0xadc1a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="applets", lpUsedDefaultChar=0x0) returned 7 [0035.258] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3, lpName=0xadb970, cchName=0x104 | out: lpName="Audio") returned 0x0 [0035.258] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audio", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.258] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audio", cchWideChar=5, lpMultiByteStr=0xadc160, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audio", lpUsedDefaultChar=0x0) returned 5 [0035.258] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4, lpName=0xadb970, cchName=0x104 | out: lpName="Authentication") returned 0x0 [0035.258] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="authentication", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.258] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="authentication", cchWideChar=14, lpMultiByteStr=0xadc1a8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="authentication", lpUsedDefaultChar=0x0) returned 14 [0035.258] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5, lpName=0xadb970, cchName=0x104 | out: lpName="BitLocker") returned 0x0 [0035.258] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bitlocker", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.258] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bitlocker", cchWideChar=9, lpMultiByteStr=0xadc160, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bitlocker", lpUsedDefaultChar=0x0) returned 9 [0035.258] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6, lpName=0xadb970, cchName=0x104 | out: lpName="BITS") returned 0x0 [0035.258] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bits", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0035.258] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bits", cchWideChar=4, lpMultiByteStr=0xadc1a8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bits", lpUsedDefaultChar=0x0) returned 4 [0035.258] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7, lpName=0xadb970, cchName=0x104 | out: lpName="Component Based Servicing") returned 0x0 [0035.258] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="component based servicing", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0035.258] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="component based servicing", cchWideChar=25, lpMultiByteStr=0xadc160, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="component based servicing", lpUsedDefaultChar=0x0) returned 25 [0035.258] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x8, lpName=0xadb970, cchName=0x104 | out: lpName="Control Panel") returned 0x0 [0035.258] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="control panel", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0035.258] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="control panel", cchWideChar=13, lpMultiByteStr=0xadc1a8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="control panel", lpUsedDefaultChar=0x0) returned 13 [0035.258] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x9, lpName=0xadb970, cchName=0x104 | out: lpName="Controls Folder") returned 0x0 [0035.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="controls folder", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="controls folder", cchWideChar=15, lpMultiByteStr=0xadc160, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="controls folder", lpUsedDefaultChar=0x0) returned 15 [0035.259] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xa, lpName=0xadb970, cchName=0x104 | out: lpName="DateTime") returned 0x0 [0035.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="datetime", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="datetime", cchWideChar=8, lpMultiByteStr=0xadc1a8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="datetime", lpUsedDefaultChar=0x0) returned 8 [0035.259] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xb, lpName=0xadb970, cchName=0x104 | out: lpName="Device Installer") returned 0x0 [0035.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="device installer", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="device installer", cchWideChar=16, lpMultiByteStr=0xadc160, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="device installer", lpUsedDefaultChar=0x0) returned 16 [0035.259] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xc, lpName=0xadb970, cchName=0x104 | out: lpName="Device Metadata") returned 0x0 [0035.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="device metadata", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="device metadata", cchWideChar=15, lpMultiByteStr=0xadc1a8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="device metadata", lpUsedDefaultChar=0x0) returned 15 [0035.259] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xd, lpName=0xadb970, cchName=0x104 | out: lpName="Diagnostics") returned 0x0 [0035.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="diagnostics", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="diagnostics", cchWideChar=11, lpMultiByteStr=0xadc160, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="diagnostics", lpUsedDefaultChar=0x0) returned 11 [0035.259] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xe, lpName=0xadb970, cchName=0x104 | out: lpName="DriverSearching") returned 0x0 [0035.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="driversearching", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="driversearching", cchWideChar=15, lpMultiByteStr=0xadc1a8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="driversearching", lpUsedDefaultChar=0x0) returned 15 [0035.259] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xf, lpName=0xadb970, cchName=0x104 | out: lpName="EventCollector") returned 0x0 [0035.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventcollector", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventcollector", cchWideChar=14, lpMultiByteStr=0xadc160, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eventcollector", lpUsedDefaultChar=0x0) returned 14 [0035.259] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x10, lpName=0xadb970, cchName=0x104 | out: lpName="EventForwarding") returned 0x0 [0035.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventforwarding", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventforwarding", cchWideChar=15, lpMultiByteStr=0xadc1a8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eventforwarding", lpUsedDefaultChar=0x0) returned 15 [0035.259] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x11, lpName=0xadb970, cchName=0x104 | out: lpName="Explorer") returned 0x0 [0035.259] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.260] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer", cchWideChar=8, lpMultiByteStr=0xadc160, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer", lpUsedDefaultChar=0x0) returned 8 [0035.260] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x12, lpName=0xadb970, cchName=0x104 | out: lpName="Ext") returned 0x0 [0035.260] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ext", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.260] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ext", cchWideChar=3, lpMultiByteStr=0xadc1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ext", lpUsedDefaultChar=0x0) returned 3 [0035.260] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x13, lpName=0xadb970, cchName=0x104 | out: lpName="GameUX") returned 0x0 [0035.260] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gameux", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.260] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gameux", cchWideChar=6, lpMultiByteStr=0xadc160, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gameux", lpUsedDefaultChar=0x0) returned 6 [0035.260] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x14, lpName=0xadb970, cchName=0x104 | out: lpName="Group Policy") returned 0x0 [0035.260] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="group policy", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.260] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="group policy", cchWideChar=12, lpMultiByteStr=0xadc1a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="group policy", lpUsedDefaultChar=0x0) returned 12 [0035.260] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x15, lpName=0xadb970, cchName=0x104 | out: lpName="Hints") returned 0x0 [0035.260] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hints", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.260] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hints", cchWideChar=5, lpMultiByteStr=0xadc160, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hints", lpUsedDefaultChar=0x0) returned 5 [0035.260] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x16, lpName=0xadb970, cchName=0x104 | out: lpName="HomeGroup") returned 0x0 [0035.260] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegroup", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.260] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegroup", cchWideChar=9, lpMultiByteStr=0xadc1a8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="homegroup", lpUsedDefaultChar=0x0) returned 9 [0035.260] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x17, lpName=0xadb970, cchName=0x104 | out: lpName="HotStart") returned 0x0 [0035.260] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hotstart", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.260] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hotstart", cchWideChar=8, lpMultiByteStr=0xadc160, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hotstart", lpUsedDefaultChar=0x0) returned 8 [0035.260] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x18, lpName=0xadb970, cchName=0x104 | out: lpName="IME") returned 0x0 [0035.260] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ime", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.260] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ime", cchWideChar=3, lpMultiByteStr=0xadc1a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ime", lpUsedDefaultChar=0x0) returned 3 [0035.260] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x19, lpName=0xadb970, cchName=0x104 | out: lpName="Installer") returned 0x0 [0035.260] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="installer", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.260] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="installer", cchWideChar=9, lpMultiByteStr=0xadc160, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="installer", lpUsedDefaultChar=0x0) returned 9 [0035.260] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1a, lpName=0xadb970, cchName=0x104 | out: lpName="Internet Settings") returned 0x0 [0035.261] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet settings", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0035.261] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet settings", cchWideChar=17, lpMultiByteStr=0xadc1a8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet settings", lpUsedDefaultChar=0x0) returned 17 [0035.261] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1b, lpName=0xadb970, cchName=0x104 | out: lpName="MCT") returned 0x0 [0035.261] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mct", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.261] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mct", cchWideChar=3, lpMultiByteStr=0xadc160, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mct", lpUsedDefaultChar=0x0) returned 3 [0035.261] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1c, lpName=0xadb970, cchName=0x104 | out: lpName="Media Center") returned 0x0 [0035.261] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="media center", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.261] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="media center", cchWideChar=12, lpMultiByteStr=0xadc1a8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="media center", lpUsedDefaultChar=0x0) returned 12 [0035.261] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1d, lpName=0xadb970, cchName=0x104 | out: lpName="MMDevices") returned 0x0 [0035.261] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmdevices", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.261] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmdevices", cchWideChar=9, lpMultiByteStr=0xadc160, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mmdevices", lpUsedDefaultChar=0x0) returned 9 [0035.261] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1e, lpName=0xadb970, cchName=0x104 | out: lpName="MSSHA") returned 0x0 [0035.261] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssha", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.261] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mssha", cchWideChar=5, lpMultiByteStr=0xadc1a8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mssha", lpUsedDefaultChar=0x0) returned 5 [0035.261] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1f, lpName=0xadb970, cchName=0x104 | out: lpName="NetCache") returned 0x0 [0035.261] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netcache", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.261] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netcache", cchWideChar=8, lpMultiByteStr=0xadc160, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netcache", lpUsedDefaultChar=0x0) returned 8 [0035.261] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x20, lpName=0xadb970, cchName=0x104 | out: lpName="OEMInformation") returned 0x0 [0035.261] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="oeminformation", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.261] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="oeminformation", cchWideChar=14, lpMultiByteStr=0xadc1a8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oeminformation", lpUsedDefaultChar=0x0) returned 14 [0035.261] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x21, lpName=0xadb970, cchName=0x104 | out: lpName="OOBE") returned 0x0 [0035.261] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="oobe", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0035.261] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="oobe", cchWideChar=4, lpMultiByteStr=0xadc160, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="oobe", lpUsedDefaultChar=0x0) returned 4 [0035.261] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x22, lpName=0xadb970, cchName=0x104 | out: lpName="OptimalLayout") returned 0x0 [0035.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="optimallayout", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0035.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="optimallayout", cchWideChar=13, lpMultiByteStr=0xadc1a8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="optimallayout", lpUsedDefaultChar=0x0) returned 13 [0035.262] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x23, lpName=0xadb970, cchName=0x104 | out: lpName="Parental Controls") returned 0x0 [0035.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="parental controls", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0035.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="parental controls", cchWideChar=17, lpMultiByteStr=0xadc160, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="parental controls", lpUsedDefaultChar=0x0) returned 17 [0035.262] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x24, lpName=0xadb970, cchName=0x104 | out: lpName="Personalization") returned 0x0 [0035.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="personalization", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="personalization", cchWideChar=15, lpMultiByteStr=0xadc1a8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="personalization", lpUsedDefaultChar=0x0) returned 15 [0035.262] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x25, lpName=0xadb970, cchName=0x104 | out: lpName="PhotoPropertyHandler") returned 0x0 [0035.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="photopropertyhandler", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0035.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="photopropertyhandler", cchWideChar=20, lpMultiByteStr=0xadc160, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="photopropertyhandler", lpUsedDefaultChar=0x0) returned 20 [0035.262] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x26, lpName=0xadb970, cchName=0x104 | out: lpName="PnPSysprep") returned 0x0 [0035.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pnpsysprep", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pnpsysprep", cchWideChar=10, lpMultiByteStr=0xadc1a8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pnpsysprep", lpUsedDefaultChar=0x0) returned 10 [0035.262] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x27, lpName=0xadb970, cchName=0x104 | out: lpName="Policies") returned 0x0 [0035.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="policies", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="policies", cchWideChar=8, lpMultiByteStr=0xadc160, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="policies", lpUsedDefaultChar=0x0) returned 8 [0035.262] RegOpenKeyExW (in: hKey=0x3c, lpSubKey="Policies", ulOptions=0x0, samDesired=0x20109, phkResult=0x1cf4fc | out: phkResult=0x1cf4fc*=0xbc) returned 0x0 [0035.262] RegCloseKey (hKey=0x3c) returned 0x0 [0035.262] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x0, lpName=0xadb970, cchName=0x104 | out: lpName="ActiveDesktop") returned 0x0 [0035.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="activedesktop", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0035.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="activedesktop", cchWideChar=13, lpMultiByteStr=0xadc1a8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="activedesktop", lpUsedDefaultChar=0x0) returned 13 [0035.262] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x1, lpName=0xadb970, cchName=0x104 | out: lpName="Attachments") returned 0x0 [0035.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="attachments", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="attachments", cchWideChar=11, lpMultiByteStr=0xadc160, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="attachments", lpUsedDefaultChar=0x0) returned 11 [0035.263] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x2, lpName=0xadb970, cchName=0x104 | out: lpName="Explorer") returned 0x0 [0035.263] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.263] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer", cchWideChar=8, lpMultiByteStr=0xadc1a8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer", lpUsedDefaultChar=0x0) returned 8 [0035.263] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x3, lpName=0xadb970, cchName=0x104 | out: lpName="NonEnum") returned 0x0 [0035.263] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nonenum", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.263] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nonenum", cchWideChar=7, lpMultiByteStr=0xadc160, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nonenum", lpUsedDefaultChar=0x0) returned 7 [0035.263] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x4, lpName=0xadb970, cchName=0x104 | out: lpName="System") returned 0x0 [0035.263] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="system", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.263] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="system", cchWideChar=6, lpMultiByteStr=0xadc1a8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="system", lpUsedDefaultChar=0x0) returned 6 [0035.263] RegOpenKeyExW (in: hKey=0xbc, lpSubKey="System", ulOptions=0x0, samDesired=0x20109, phkResult=0x1cf4fc | out: phkResult=0x1cf4fc*=0x3c) returned 0x0 [0035.263] RegCloseKey (hKey=0xbc) returned 0x0 [0035.263] RegEnumValueA (in: hKey=0x3c, dwIndex=0x0, lpValueName=0x1cf418, lpcchValueName=0x1cf414, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ConsentPromptBehaviorAdmin", lpcchValueName=0x1cf414, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0035.263] RegEnumValueA (in: hKey=0x3c, dwIndex=0x1, lpValueName=0x1cf418, lpcchValueName=0x1cf414, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ConsentPromptBehaviorUser", lpcchValueName=0x1cf414, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0035.264] RegEnumValueA (in: hKey=0x3c, dwIndex=0x2, lpValueName=0x1cf418, lpcchValueName=0x1cf414, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableInstallerDetection", lpcchValueName=0x1cf414, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0035.264] RegEnumValueA (in: hKey=0x3c, dwIndex=0x3, lpValueName=0x1cf418, lpcchValueName=0x1cf414, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableLUA", lpcchValueName=0x1cf414, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0035.264] RegEnumValueA (in: hKey=0x3c, dwIndex=0x4, lpValueName=0x1cf418, lpcchValueName=0x1cf414, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableSecureUIAPaths", lpcchValueName=0x1cf414, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0035.264] RegEnumValueA (in: hKey=0x3c, dwIndex=0x5, lpValueName=0x1cf418, lpcchValueName=0x1cf414, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableUIADesktopToggle", lpcchValueName=0x1cf414, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0035.264] RegEnumValueA (in: hKey=0x3c, dwIndex=0x6, lpValueName=0x1cf418, lpcchValueName=0x1cf414, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableVirtualization", lpcchValueName=0x1cf414, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0035.264] RegEnumValueA (in: hKey=0x3c, dwIndex=0x7, lpValueName=0x1cf418, lpcchValueName=0x1cf414, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="PromptOnSecureDesktop", lpcchValueName=0x1cf414, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0035.264] RegEnumValueA (in: hKey=0x3c, dwIndex=0x8, lpValueName=0x1cf418, lpcchValueName=0x1cf414, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ValidateAdminCodeSignatures", lpcchValueName=0x1cf414, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0035.264] RegEnumValueA (in: hKey=0x3c, dwIndex=0x9, lpValueName=0x1cf418, lpcchValueName=0x1cf414, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="dontdisplaylastusername", lpcchValueName=0x1cf414, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0035.264] RegEnumValueA (in: hKey=0x3c, dwIndex=0xa, lpValueName=0x1cf418, lpcchValueName=0x1cf414, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="legalnoticecaption", lpcchValueName=0x1cf414, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0035.264] RegEnumValueA (in: hKey=0x3c, dwIndex=0xb, lpValueName=0x1cf418, lpcchValueName=0x1cf414, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="legalnoticetext", lpcchValueName=0x1cf414, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0035.264] RegEnumValueA (in: hKey=0x3c, dwIndex=0xc, lpValueName=0x1cf418, lpcchValueName=0x1cf414, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="scforceoption", lpcchValueName=0x1cf414, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0035.264] RegEnumValueA (in: hKey=0x3c, dwIndex=0xd, lpValueName=0x1cf418, lpcchValueName=0x1cf414, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="shutdownwithoutlogon", lpcchValueName=0x1cf414, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0035.264] RegEnumValueA (in: hKey=0x3c, dwIndex=0xe, lpValueName=0x1cf418, lpcchValueName=0x1cf414, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="undockwithoutlogon", lpcchValueName=0x1cf414, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0035.264] RegEnumValueA (in: hKey=0x3c, dwIndex=0xf, lpValueName=0x1cf418, lpcchValueName=0x1cf414, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="FilterAdministratorToken", lpcchValueName=0x1cf414, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0035.264] RegEnumValueA (in: hKey=0x3c, dwIndex=0x10, lpValueName=0x1cf418, lpcchValueName=0x1cf414, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="FilterAdministratorToken", lpcchValueName=0x1cf414, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x103 [0035.264] RegQueryValueExA (in: hKey=0x3c, lpValueName="EnableLUA", lpReserved=0x0, lpType=0x1cf524, lpData=0x0, lpcbData=0x1cf52c*=0x0 | out: lpType=0x1cf524*=0x4, lpData=0x0, lpcbData=0x1cf52c*=0x4) returned 0x0 [0035.264] RegQueryValueExA (in: hKey=0x3c, lpValueName="EnableLUA", lpReserved=0x0, lpType=0x1cf524, lpData=0xadc4c0, lpcbData=0x1cf52c*=0x4 | out: lpType=0x1cf524*=0x4, lpData=0xadc4c0*=0x1, lpcbData=0x1cf52c*=0x4) returned 0x0 [0035.265] RegCloseKey (hKey=0x3c) returned 0x0 [0035.265] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x1cf5a0 | out: TokenHandle=0x1cf5a0*=0x3c) returned 1 [0035.265] GetTokenInformation (in: TokenHandle=0x3c, TokenInformationClass=0x14, TokenInformation=0x1cf59c, TokenInformationLength=0x4, ReturnLength=0x1cf598 | out: TokenInformation=0x1cf59c, ReturnLength=0x1cf598) returned 1 [0035.265] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x1cf58c | out: TokenHandle=0x1cf58c*=0xbc) returned 1 [0035.265] GetTokenInformation (in: TokenHandle=0xbc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cf588 | out: TokenInformation=0x0, ReturnLength=0x1cf588) returned 0 [0035.265] GetTokenInformation (in: TokenHandle=0xbc, TokenInformationClass=0x19, TokenInformation=0xadc628, TokenInformationLength=0x14, ReturnLength=0x1cf588 | out: TokenInformation=0xadc628, ReturnLength=0x1cf588) returned 1 [0035.265] GetSidSubAuthorityCount (pSid=0xadc630*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadc631 [0035.265] GetSidSubAuthority (pSid=0xadc630*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadc638 [0035.265] NtClose (Handle=0xbc) returned 0x0 [0035.265] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0035.269] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x289f28, lpbSaclPresent=0x1cf648, pSacl=0x1cf6a0, lpbSaclDefaulted=0x1cf648 | out: lpbSaclPresent=0x1cf648, pSacl=0x1cf6a0, lpbSaclDefaulted=0x1cf648) returned 1 [0035.270] CreateMutexA (lpMutexAttributes=0x1cf694, bInitialOwner=0, lpName="") returned 0x100 [0035.270] GetLastError () returned 0x0 [0035.270] LocalFree (hMem=0x289f28) returned 0x0 [0035.270] CryptAcquireContextW (in: phProv=0x1cf6c0, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x1cf6c0*=0x2889e8) returned 1 [0035.282] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0035.283] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x288c30, lpbSaclPresent=0x1cf664, pSacl=0x1cf6c8, lpbSaclDefaulted=0x1cf664 | out: lpbSaclPresent=0x1cf664, pSacl=0x1cf6c8, lpbSaclDefaulted=0x1cf664) returned 1 [0035.283] CreateEventA (lpEventAttributes=0x1cf6bc, bManualReset=1, bInitialState=0, lpName="") returned 0x104 [0035.283] GetLastError () returned 0x0 [0035.283] LocalFree (hMem=0x288c30) returned 0x0 [0035.283] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0035.283] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x288c30, lpbSaclPresent=0x1cf664, pSacl=0x1cf6c8, lpbSaclDefaulted=0x1cf664 | out: lpbSaclPresent=0x1cf664, pSacl=0x1cf6c8, lpbSaclDefaulted=0x1cf664) returned 1 [0035.283] CreateEventA (lpEventAttributes=0x1cf6bc, bManualReset=1, bInitialState=0, lpName="") returned 0x108 [0035.284] GetLastError () returned 0x0 [0035.284] LocalFree (hMem=0x288c30) returned 0x0 [0035.284] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0035.284] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x288c30, lpbSaclPresent=0x1cf664, pSacl=0x1cf6c8, lpbSaclDefaulted=0x1cf664 | out: lpbSaclPresent=0x1cf664, pSacl=0x1cf6c8, lpbSaclDefaulted=0x1cf664) returned 1 [0035.284] CreateEventA (lpEventAttributes=0x1cf6bc, bManualReset=1, bInitialState=0, lpName="") returned 0x110 [0035.284] GetLastError () returned 0x0 [0035.284] LocalFree (hMem=0x288c30) returned 0x0 [0035.284] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc310, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0035.284] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc310, cbMultiByte=10, lpWideCharStr=0xadbb90, cchWideChar=10 | out: lpWideCharStr="svsho*.exe") returned 10 [0035.284] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc280, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0035.284] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc280, cbMultiByte=10, lpWideCharStr=0xadbc40, cchWideChar=10 | out: lpWideCharStr="schre*.bat") returned 10 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc238, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc238, cbMultiByte=7, lpWideCharStr=0xadfe60, cchWideChar=7 | out: lpWideCharStr="V01.lo*") returned 7 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc1f0, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc1f0, cbMultiByte=7, lpWideCharStr=0xadfee8, cchWideChar=7 | out: lpWideCharStr="V01.ch*") returned 7 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc1a8, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc1a8, cbMultiByte=11, lpWideCharStr=0xae0448, cchWideChar=11 | out: lpWideCharStr="V01res*.jrs") returned 11 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc160, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc160, cbMultiByte=11, lpWideCharStr=0xae04d0, cchWideChar=11 | out: lpWideCharStr="RacWmi*.sdf") returned 11 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc2c8, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc2c8, cbMultiByte=11, lpWideCharStr=0xae0558, cchWideChar=11 | out: lpWideCharStr="Web*V01.dat") returned 11 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc1a8, cbMultiByte=25, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 25 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc1a8, cbMultiByte=25, lpWideCharStr=0xae05e0, cchWideChar=25 | out: lpWideCharStr="System Volume Information") returned 25 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc1f0, cbMultiByte=12, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 12 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc1f0, cbMultiByte=12, lpWideCharStr=0xae0668, cchWideChar=12 | out: lpWideCharStr="$RECYCLE.BIN") returned 12 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc238, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc238, cbMultiByte=8, lpWideCharStr=0xae0818, cchWideChar=8 | out: lpWideCharStr="WebCache") returned 8 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc2c8, cbMultiByte=6, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc2c8, cbMultiByte=6, lpWideCharStr=0xae08a0, cchWideChar=6 | out: lpWideCharStr="Caches") returned 6 [0035.285] ExpandEnvironmentStringsA (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\WER\\ReportQueue\\", lpDst=0xae2778, nSize=0x2800 | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\") returned 0x32 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xae2778, cbMultiByte=49, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 49 [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xae2778, cbMultiByte=49, lpWideCharStr=0xae0928, cchWideChar=49 | out: lpWideCharStr="C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\") returned 49 [0035.285] ExpandEnvironmentStringsA (in: lpSrc="%windir%", lpDst=0xae2778, nSize=0x2800 | out: lpDst="C:\\Windows") returned 0xb [0035.285] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xae2778, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0035.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xae2778, cbMultiByte=10, lpWideCharStr=0xae09b0, cchWideChar=10 | out: lpWideCharStr="C:\\Windows") returned 10 [0035.286] ExpandEnvironmentStringsA (in: lpSrc="%temp%", lpDst=0xae2778, nSize=0x2800 | out: lpDst="C:\\Windows\\TEMP") returned 0x10 [0035.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xae2778, cbMultiByte=15, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 15 [0035.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xae2778, cbMultiByte=15, lpWideCharStr=0xae0a38, cchWideChar=15 | out: lpWideCharStr="C:\\Windows\\TEMP") returned 15 [0035.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc1a8, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0035.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc1a8, cbMultiByte=7, lpWideCharStr=0xae0ac0, cchWideChar=7 | out: lpWideCharStr=".locked") returned 7 [0035.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc508, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0035.286] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xadc508, cbMultiByte=11, lpWideCharStr=0xae0b48, cchWideChar=11 | out: lpWideCharStr=".readme_txt") returned 11 [0035.286] WaitForSingleObject (hHandle=0x100, dwMilliseconds=0xffffffff) returned 0x0 [0035.286] GetSystemWow64DirectoryW (in: lpBuffer=0xae7a18, uSize=0x40 | out: lpBuffer="C:\\Windows\\SysWOW64") returned 0x13 [0035.286] FindFirstFileExW (in: lpFileName="C:\\Windows\\SysWOW64\\*.dll", fInfoLevelId=0x1, lpFindFileData=0x1cf3f4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cf3f4) returned 0x289ec0 [0035.286] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AACLIENT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.286] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AACLIENT.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AACLIENT.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.287] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.287] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCESSIBILITYCPL.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0035.287] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCESSIBILITYCPL.DLL", cchWideChar=20, lpMultiByteStr=0xadc988, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCESSIBILITYCPL.DLL", lpUsedDefaultChar=0x0) returned 20 [0035.288] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCTRES.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCTRES.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCTRES.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.288] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLEDIT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLEDIT.DLL", cchWideChar=11, lpMultiByteStr=0xadc988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACLEDIT.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.288] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLUI.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLUI.DLL", cchWideChar=9, lpMultiByteStr=0xadc940, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACLUI.DLL", lpUsedDefaultChar=0x0) returned 9 [0035.288] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACPPAGE.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACPPAGE.DLL", cchWideChar=11, lpMultiByteStr=0xadc988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACPPAGE.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.288] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTER.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTER.DLL", cchWideChar=16, lpMultiByteStr=0xadc940, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIONCENTER.DLL", lpUsedDefaultChar=0x0) returned 16 [0035.288] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTERCPL.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTERCPL.DLL", cchWideChar=19, lpMultiByteStr=0xadc988, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIONCENTERCPL.DLL", lpUsedDefaultChar=0x0) returned 19 [0035.288] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIVEDS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIVEDS.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIVEDS.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.288] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTXPRXY.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTXPRXY.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTXPRXY.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.288] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMPARSE.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMPARSE.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADMPARSE.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.288] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMTMPL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMTMPL.DLL", cchWideChar=11, lpMultiByteStr=0xadc988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADMTMPL.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.289] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADPROVIDER.DLL", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADPROVIDER.DLL", cchWideChar=14, lpMultiByteStr=0xadc940, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 14 [0035.289] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDP.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDP.DLL", cchWideChar=10, lpMultiByteStr=0xadc988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSLDP.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.289] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDPC.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDPC.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSLDPC.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.289] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSMSEXT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSMSEXT.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSMSEXT.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.289] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSNT.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSNT.DLL", cchWideChar=9, lpMultiByteStr=0xadc940, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSNT.DLL", lpUsedDefaultChar=0x0) returned 9 [0035.289] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADTSCHEMA.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADTSCHEMA.DLL", cchWideChar=13, lpMultiByteStr=0xadc988, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADTSCHEMA.DLL", lpUsedDefaultChar=0x0) returned 13 [0035.289] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVAPI32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVAPI32.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADVAPI32.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.289] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVPACK.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVPACK.DLL", cchWideChar=11, lpMultiByteStr=0xadc988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADVPACK.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.289] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AECACHE.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.289] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AECACHE.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AECACHE.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.289] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AEEVTS.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AEEVTS.DLL", cchWideChar=10, lpMultiByteStr=0xadc988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AEEVTS.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.290] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALTTAB.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALTTAB.DLL", cchWideChar=10, lpMultiByteStr=0xadc940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALTTAB.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.290] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMSTREAM.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMSTREAM.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AMSTREAM.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.290] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMXREAD.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMXREAD.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AMXREAD.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.290] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APDS.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APDS.DLL", cchWideChar=8, lpMultiByteStr=0xadc988, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APDS.DLL", lpUsedDefaultChar=0x0) returned 8 [0035.290] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-CONSOLE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-CONSOLE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0xadc940, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-CONSOLE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0035.290] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DATETIME-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DATETIME-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xadc988, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-DATETIME-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0035.290] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DEBUG-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DEBUG-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0xadc940, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-DEBUG-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0035.290] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DELAYLOAD-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DELAYLOAD-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0xadc988, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-DELAYLOAD-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0035.290] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0035.290] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xadc940, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0035.290] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FIBERS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FIBERS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xadc988, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FIBERS-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.291] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xadc940, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FILE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0035.291] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-2-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-2-0.DLL", cchWideChar=31, lpMultiByteStr=0xadc988, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FILE-L1-2-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0035.291] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L2-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L2-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xadc940, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FILE-L2-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0035.291] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HANDLE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HANDLE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xadc988, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-HANDLE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.291] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HEAP-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HEAP-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xadc940, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-HEAP-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0035.291] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-INTERLOCKED-L1-1-0.DLL", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-INTERLOCKED-L1-1-0.DLL", cchWideChar=38, lpMultiByteStr=0xadc988, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-INTERLOCKED-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 38 [0035.291] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-IO-L1-1-0.DLL", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-IO-L1-1-0.DLL", cchWideChar=29, lpMultiByteStr=0xadc940, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-IO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 29 [0035.291] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xadc988, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0035.291] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.291] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0xadc940, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LOCALIZATION-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 39 [0035.292] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-2-0.DLL", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-2-0.DLL", cchWideChar=39, lpMultiByteStr=0xadc988, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LOCALIZATION-L1-2-0.DLL", lpUsedDefaultChar=0x0) returned 39 [0035.292] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALREGISTRY-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALREGISTRY-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xadc940, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LOCALREGISTRY-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0035.292] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MEMORY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MEMORY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xadc988, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-MEMORY-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.292] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MISC-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MISC-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xadc940, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-MISC-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0035.292] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-NAMEDPIPE-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-NAMEDPIPE-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0xadc988, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-NAMEDPIPE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0035.292] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0.DLL", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0.DLL", cchWideChar=45, lpMultiByteStr=0xadc940, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 45 [0035.292] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL", cchWideChar=41, lpMultiByteStr=0xadc988, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 41 [0035.292] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1.DLL", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1.DLL", cchWideChar=41, lpMultiByteStr=0xadc940, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1.DLL", lpUsedDefaultChar=0x0) returned 41 [0035.292] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROFILE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROFILE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0xadc988, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROFILE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0035.292] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-RTLSUPPORT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-RTLSUPPORT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0xadc940, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-RTLSUPPORT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 37 [0035.293] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-STRING-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-STRING-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xadc988, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-STRING-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.293] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0xadc940, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-SYNCH-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0035.293] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-2-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-2-0.DLL", cchWideChar=32, lpMultiByteStr=0xadc988, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-SYNCH-L1-2-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0035.293] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYSINFO-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYSINFO-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0xadc940, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-SYSINFO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0035.293] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-THREADPOOL-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-THREADPOOL-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0xadc988, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-THREADPOOL-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 37 [0035.293] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-TIMEZONE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-TIMEZONE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xadc940, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-TIMEZONE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0035.293] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-UTIL-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-UTIL-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xadc988, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-UTIL-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0035.293] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xadc940, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-XSTATE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.293] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L2-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L2-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xadc988, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-XSTATE-L2-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.293] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.293] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xadc940, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-CONIO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0035.294] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONVERT-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONVERT-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xadc988, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-CONVERT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.294] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-ENVIRONMENT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-ENVIRONMENT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0xadc940, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-ENVIRONMENT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 37 [0035.294] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-FILESYSTEM-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-FILESYSTEM-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0xadc988, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-FILESYSTEM-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0035.294] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-HEAP-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-HEAP-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0xadc940, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-HEAP-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 30 [0035.294] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-LOCALE-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-LOCALE-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0xadc988, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-LOCALE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0035.294] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MATH-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MATH-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0xadc940, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-MATH-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 30 [0035.294] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MULTIBYTE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MULTIBYTE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xadc988, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-MULTIBYTE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0035.294] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PRIVATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PRIVATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xadc940, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-PRIVATE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.294] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.294] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PROCESS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PROCESS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xadc988, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-PROCESS-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.295] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xadc940, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.295] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STDIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STDIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xadc988, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-STDIO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0035.295] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STRING-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STRING-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0xadc940, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-STRING-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0035.295] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-TIME-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-TIME-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0xadc988, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-TIME-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 30 [0035.295] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-UTILITY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-UTILITY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xadc940, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-UTILITY-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.295] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-EVENTING-PROVIDER-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-EVENTING-PROVIDER-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0xadc988, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-EVENTING-PROVIDER-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 39 [0035.295] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-BASE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-BASE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xadc940, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SECURITY-BASE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0035.295] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xadc988, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0035.295] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0035.295] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xadc940, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0035.296] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-CORE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-CORE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0xadc988, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-CORE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0035.296] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xadc940, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0035.296] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xadc988, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0035.296] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0xadc940, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0035.296] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APILOGEN.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APILOGEN.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APILOGEN.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.296] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APIRCL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APIRCL.DLL", cchWideChar=10, lpMultiByteStr=0xadc940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APIRCL.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.296] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APISETSCHEMA.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APISETSCHEMA.DLL", cchWideChar=16, lpMultiByteStr=0xadc988, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APISETSCHEMA.DLL", lpUsedDefaultChar=0x0) returned 16 [0035.296] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHELP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHELP.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPHELP.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.296] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHLPDM.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHLPDM.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPHLPDM.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.296] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDAPI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.296] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDAPI.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPIDAPI.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.296] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDPOLICYENGINEAPI.DLL", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDPOLICYENGINEAPI.DLL", cchWideChar=24, lpMultiByteStr=0xadc988, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPIDPOLICYENGINEAPI.DLL", lpUsedDefaultChar=0x0) returned 24 [0035.297] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGMTS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGMTS.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPMGMTS.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.297] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGR.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGR.DLL", cchWideChar=10, lpMultiByteStr=0xadc988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPMGR.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.297] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APSS.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APSS.DLL", cchWideChar=8, lpMultiByteStr=0xadc940, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APSS.DLL", lpUsedDefaultChar=0x0) returned 8 [0035.297] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASFERROR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASFERROR.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASFERROR.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.297] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASPNET_COUNTERS.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASPNET_COUNTERS.DLL", cchWideChar=19, lpMultiByteStr=0xadc940, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASPNET_COUNTERS.DLL", lpUsedDefaultChar=0x0) returned 19 [0035.297] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASYCFILT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASYCFILT.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASYCFILT.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.297] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL.DLL", cchWideChar=7, lpMultiByteStr=0xadc940, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATL.DLL", lpUsedDefaultChar=0x0) returned 7 [0035.297] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL100.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL100.DLL", cchWideChar=10, lpMultiByteStr=0xadc988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATL100.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.297] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL110.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.297] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL110.DLL", cchWideChar=10, lpMultiByteStr=0xadc940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATL110.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.297] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMFD.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMFD.DLL", cchWideChar=9, lpMultiByteStr=0xadc988, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATMFD.DLL", lpUsedDefaultChar=0x0) returned 9 [0035.298] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMLIB.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMLIB.DLL", cchWideChar=10, lpMultiByteStr=0xadc940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATMLIB.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.298] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIODEV.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIODEV.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIODEV.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.298] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOENG.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOENG.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIOENG.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.298] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOKSE.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOKSE.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIOKSE.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.298] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOSES.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOSES.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIOSES.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.298] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITNATIVESNAPIN.DLL", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITNATIVESNAPIN.DLL", cchWideChar=21, lpMultiByteStr=0xadc988, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDITNATIVESNAPIN.DLL", lpUsedDefaultChar=0x0) returned 21 [0035.298] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLICYGPINTEROP.DLL", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLICYGPINTEROP.DLL", cchWideChar=24, lpMultiByteStr=0xadc940, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDITPOLICYGPINTEROP.DLL", lpUsedDefaultChar=0x0) returned 24 [0035.298] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLMSG.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLMSG.DLL", cchWideChar=15, lpMultiByteStr=0xadc988, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDITPOLMSG.DLL", lpUsedDefaultChar=0x0) returned 15 [0035.298] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWCFG.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0035.298] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWCFG.DLL", cchWideChar=13, lpMultiByteStr=0xadc940, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWCFG.DLL", lpUsedDefaultChar=0x0) returned 13 [0035.298] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWGP.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWGP.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWGP.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.299] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWSNAPIN.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWSNAPIN.DLL", cchWideChar=16, lpMultiByteStr=0xadc940, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWSNAPIN.DLL", lpUsedDefaultChar=0x0) returned 16 [0035.299] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWWIZFWK.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWWIZFWK.DLL", cchWideChar=16, lpMultiByteStr=0xadc988, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWWIZFWK.DLL", lpUsedDefaultChar=0x0) returned 16 [0035.299] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHUI.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHUI.DLL", cchWideChar=10, lpMultiByteStr=0xadc940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHUI.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.299] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHZ.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHZ.DLL", cchWideChar=9, lpMultiByteStr=0xadc988, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHZ.DLL", lpUsedDefaultChar=0x0) returned 9 [0035.299] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTOPLAY.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTOPLAY.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTOPLAY.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.299] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYAPI.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYAPI.DLL", cchWideChar=23, lpMultiByteStr=0xadc988, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUXILIARYDISPLAYAPI.DLL", lpUsedDefaultChar=0x0) returned 23 [0035.299] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYCPL.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYCPL.DLL", cchWideChar=23, lpMultiByteStr=0xadc940, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUXILIARYDISPLAYCPL.DLL", lpUsedDefaultChar=0x0) returned 23 [0035.299] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVICAP32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVICAP32.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AVICAP32.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.299] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVIFIL32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.299] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVIFIL32.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AVIFIL32.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.300] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVRT.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVRT.DLL", cchWideChar=8, lpMultiByteStr=0xadc988, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AVRT.DLL", lpUsedDefaultChar=0x0) returned 8 [0035.300] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLES.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLES.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AZROLES.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.300] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLEUI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLEUI.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AZROLEUI.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.300] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZSQLEXT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZSQLEXT.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AZSQLEXT.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.300] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BASECSP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BASECSP.DLL", cchWideChar=11, lpMultiByteStr=0xadc988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASECSP.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.300] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BATMETER.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BATMETER.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BATMETER.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.300] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPT.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPT.DLL", cchWideChar=10, lpMultiByteStr=0xadc988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCRYPT.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.300] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPTPRIMITIVES.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPTPRIMITIVES.DLL", cchWideChar=20, lpMultiByteStr=0xadc940, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCRYPTPRIMITIVES.DLL", lpUsedDefaultChar=0x0) returned 20 [0035.300] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIDISPL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIDISPL.DLL", cchWideChar=11, lpMultiByteStr=0xadc988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIDISPL.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.300] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIOCREDPROV.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.300] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIOCREDPROV.DLL", cchWideChar=15, lpMultiByteStr=0xadc940, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIOCREDPROV.DLL", lpUsedDefaultChar=0x0) returned 15 [0035.301] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPERF.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPERF.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPERF.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.301] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX2.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX2.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX2.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.301] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX3.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX3.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX3.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.301] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX4.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX4.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX4.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.301] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX5.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX5.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX5.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.301] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX6.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX6.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX6.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.301] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BLACKBOX.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BLACKBOX.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLACKBOX.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.301] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BOOTVID.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BOOTVID.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BOOTVID.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.301] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWCLI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWCLI.DLL", cchWideChar=11, lpMultiByteStr=0xadc988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BROWCLI.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.301] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.301] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWSEUI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWSEUI.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BROWSEUI.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.302] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BTPANUI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BTPANUI.DLL", cchWideChar=11, lpMultiByteStr=0xadc988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BTPANUI.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.302] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWCONTEXTHANDLER.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWCONTEXTHANDLER.DLL", cchWideChar=20, lpMultiByteStr=0xadc940, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BWCONTEXTHANDLER.DLL", lpUsedDefaultChar=0x0) returned 20 [0035.302] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWUNPAIRELEVATED.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWUNPAIRELEVATED.DLL", cchWideChar=20, lpMultiByteStr=0xadc988, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BWUNPAIRELEVATED.DLL", lpUsedDefaultChar=0x0) returned 20 [0035.302] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABINET.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABINET.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABINET.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.302] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABVIEW.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABVIEW.DLL", cchWideChar=11, lpMultiByteStr=0xadc988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABVIEW.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.302] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPIPROVIDER.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPIPROVIDER.DLL", cchWideChar=16, lpMultiByteStr=0xadc940, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAPIPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 16 [0035.302] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPISP.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPISP.DLL", cchWideChar=10, lpMultiByteStr=0xadc988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAPISP.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.302] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRV.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRV.DLL", cchWideChar=10, lpMultiByteStr=0xadc940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATSRV.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.302] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRVPS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.302] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRVPS.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATSRVPS.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.302] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRVUT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRVUT.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATSRVUT.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.303] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CCA.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CCA.DLL", cchWideChar=7, lpMultiByteStr=0xadc988, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CCA.DLL", lpUsedDefaultChar=0x0) returned 7 [0035.303] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CDOSYS.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CDOSYS.DLL", cchWideChar=10, lpMultiByteStr=0xadc940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CDOSYS.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.303] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTCLI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTCLI.DLL", cchWideChar=11, lpMultiByteStr=0xadc988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTCLI.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.303] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTCREDPROVIDER.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTCREDPROVIDER.DLL", cchWideChar=20, lpMultiByteStr=0xadc940, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTCREDPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 20 [0035.303] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENC.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENC.DLL", cchWideChar=11, lpMultiByteStr=0xadc988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTENC.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.303] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENROLL.DLL", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENROLL.DLL", cchWideChar=14, lpMultiByteStr=0xadc940, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTENROLL.DLL", lpUsedDefaultChar=0x0) returned 14 [0035.303] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENROLLUI.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTENROLLUI.DLL", cchWideChar=16, lpMultiByteStr=0xadc988, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTENROLLUI.DLL", lpUsedDefaultChar=0x0) returned 16 [0035.303] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTMGR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTMGR.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTMGR.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.303] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTPOLENG.DLL", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.303] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CERTPOLENG.DLL", cchWideChar=14, lpMultiByteStr=0xadc988, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CERTPOLENG.DLL", lpUsedDefaultChar=0x0) returned 14 [0035.304] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CEWMDM.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CEWMDM.DLL", cchWideChar=10, lpMultiByteStr=0xadc940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CEWMDM.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.304] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CFGBKEND.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CFGBKEND.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFGBKEND.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.304] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CFGMGR32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CFGMGR32.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CFGMGR32.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.304] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHSBRKR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHSBRKR.DLL", cchWideChar=11, lpMultiByteStr=0xadc988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHSBRKR.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.304] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHTBRKR.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHTBRKR.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHTBRKR.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.304] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHXREADINGSTRINGIME.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CHXREADINGSTRINGIME.DLL", cchWideChar=23, lpMultiByteStr=0xadc988, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CHXREADINGSTRINGIME.DLL", lpUsedDefaultChar=0x0) returned 23 [0035.304] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CIC.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CIC.DLL", cchWideChar=7, lpMultiByteStr=0xadc940, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CIC.DLL", lpUsedDefaultChar=0x0) returned 7 [0035.304] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLB.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLB.DLL", cchWideChar=7, lpMultiByteStr=0xadc988, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLB.DLL", lpUsedDefaultChar=0x0) returned 7 [0035.304] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLBCATQ.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLBCATQ.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLBCATQ.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.304] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLFSW32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.304] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLFSW32.DLL", cchWideChar=11, lpMultiByteStr=0xadc988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLFSW32.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.305] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLICONFG.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLICONFG.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLICONFG.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.305] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLUSAPI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CLUSAPI.DLL", cchWideChar=11, lpMultiByteStr=0xadc988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CLUSAPI.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.305] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMCFG32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMCFG32.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMCFG32.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.305] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMDIAL32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMDIAL32.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMDIAL32.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.305] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMICRYPTINSTALL.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMICRYPTINSTALL.DLL", cchWideChar=19, lpMultiByteStr=0xadc940, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMICRYPTINSTALL.DLL", lpUsedDefaultChar=0x0) returned 19 [0035.305] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMIFW.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMIFW.DLL", cchWideChar=9, lpMultiByteStr=0xadc988, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMIFW.DLL", lpUsedDefaultChar=0x0) returned 9 [0035.305] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMIPNPINSTALL.DLL", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMIPNPINSTALL.DLL", cchWideChar=17, lpMultiByteStr=0xadc940, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMIPNPINSTALL.DLL", lpUsedDefaultChar=0x0) returned 17 [0035.305] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMLUA.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMLUA.DLL", cchWideChar=9, lpMultiByteStr=0xadc988, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMLUA.DLL", lpUsedDefaultChar=0x0) returned 9 [0035.305] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMPBK32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMPBK32.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMPBK32.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.305] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.305] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMSTPLUA.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMSTPLUA.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMSTPLUA.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.306] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMUTIL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CMUTIL.DLL", cchWideChar=10, lpMultiByteStr=0xadc940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CMUTIL.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.306] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNGAUDIT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNGAUDIT.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CNGAUDIT.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.306] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNGPROVIDER.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNGPROVIDER.DLL", cchWideChar=15, lpMultiByteStr=0xadc940, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CNGPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 15 [0035.306] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNVFAT.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CNVFAT.DLL", cchWideChar=10, lpMultiByteStr=0xadc988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CNVFAT.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.306] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLBACT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLBACT.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COLBACT.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.306] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLORCNV.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLORCNV.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COLORCNV.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.306] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLORUI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COLORUI.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COLORUI.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.306] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMCAT.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMCAT.DLL", cchWideChar=10, lpMultiByteStr=0xadc988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMCAT.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.306] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMCTL32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMCTL32.DLL", cchWideChar=12, lpMultiByteStr=0xadc940, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMCTL32.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.306] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.306] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMDLG32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMDLG32.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMDLG32.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.307] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMPOBJ.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMPOBJ.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPOBJ.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.307] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMPSTUI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMPSTUI.DLL", cchWideChar=12, lpMultiByteStr=0xadc988, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMPSTUI.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.307] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMREPL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMREPL.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMREPL.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.307] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMRES.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMRES.DLL", cchWideChar=10, lpMultiByteStr=0xadc988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMRES.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.307] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMSNAP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMSNAP.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMSNAP.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.307] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMSVCS.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMSVCS.DLL", cchWideChar=11, lpMultiByteStr=0xadc988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMSVCS.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.307] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMUID.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="COMUID.DLL", cchWideChar=10, lpMultiByteStr=0xadc940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="COMUID.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.307] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONCRT140.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONCRT140.DLL", cchWideChar=13, lpMultiByteStr=0xadc988, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONCRT140.DLL", lpUsedDefaultChar=0x0) returned 13 [0035.307] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONNECT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONNECT.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONNECT.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.307] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONSOLE.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CONSOLE.DLL", cchWideChar=11, lpMultiByteStr=0xadc988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CONSOLE.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.308] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CORPOL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CORPOL.DLL", cchWideChar=10, lpMultiByteStr=0xadc940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CORPOL.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.308] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CPFILTERS.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0035.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CPFILTERS.DLL", cchWideChar=13, lpMultiByteStr=0xadc988, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CPFILTERS.DLL", lpUsedDefaultChar=0x0) returned 13 [0035.308] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CREDSSP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CREDSSP.DLL", cchWideChar=11, lpMultiByteStr=0xadc940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CREDSSP.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.308] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CREDUI.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CREDUI.DLL", cchWideChar=10, lpMultiByteStr=0xadc988, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CREDUI.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.308] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CRTDLL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CRTDLL.DLL", cchWideChar=10, lpMultiByteStr=0xadc940, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CRTDLL.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.308] FindNextFileW (in: hFindFile=0x289ec0, lpFindFileData=0x1cf3f4 | out: lpFindFileData=0x1cf3f4) returned 1 [0035.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CRYPT32.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.308] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CRYPT32.DLL", cchWideChar=11, lpMultiByteStr=0xadc988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CRYPT32.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.308] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="crypt32.dll", BaseAddress=0x1cf668 | out: BaseAddress=0x1cf668*=0x75720000) returned 0x0 [0035.310] FindClose (in: hFindFile=0x289ec0 | out: hFindFile=0x289ec0) returned 1 [0035.311] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdXOKTkkjURSPoRv6ciKwuUyK8\r\n+7EiuEHzxMGanjcW6+UbzAT1+MKH43GnfnWdTedvkgYD5Zg8lNUasTJ0FdRzHLDO\r\np5ciKIG0vITHV9kDtV/NtU2M/uKYO51wmO4fC2eLWZRS6ru7CQNJYfId0nXGFmU6\r\n3tqF+NLM1KW2f/gHnwIDAQAB\r\n-----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x0, pcbBinary=0x1cf690, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x0, pcbBinary=0x1cf690, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0035.311] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdXOKTkkjURSPoRv6ciKwuUyK8\r\n+7EiuEHzxMGanjcW6+UbzAT1+MKH43GnfnWdTedvkgYD5Zg8lNUasTJ0FdRzHLDO\r\np5ciKIG0vITHV9kDtV/NtU2M/uKYO51wmO4fC2eLWZRS6ru7CQNJYfId0nXGFmU6\r\n3tqF+NLM1KW2f/gHnwIDAQAB\r\n-----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0xae7a18, pcbBinary=0x1cf690, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0xae7a18, pcbBinary=0x1cf690, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0035.311] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x8, pbEncoded=0xae7a18, cbEncoded=0xa2, dwFlags=0x0, pvStructInfo=0x0, pcbStructInfo=0x1cf690 | out: pvStructInfo=0x0, pcbStructInfo=0x1cf690) returned 1 [0035.312] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x8, pbEncoded=0xae7a18, cbEncoded=0xa2, dwFlags=0x0, pvStructInfo=0xae80a8, pcbStructInfo=0x1cf690 | out: pvStructInfo=0xae80a8, pcbStructInfo=0x1cf690) returned 1 [0035.312] CryptImportPublicKeyInfo (in: hCryptProv=0x2889e8, dwCertEncodingType=0x10001, pInfo=0xae80a8*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0xae80d8*, PublicKey.cbData=0x8c, PublicKey.pbData=0xae80e0*, PublicKey.cUnusedBits=0x0), phKey=0x1cf698 | out: phKey=0x1cf698*=0x289ec0) returned 1 [0035.313] ReleaseMutex (hMutex=0x100) returned 1 [0035.313] StartServiceCtrlDispatcherW (lpServiceTable=0x1cf708*(lpServiceName="", lpServiceProc=0x86f270)) [0090.448] SetServiceStatus (hServiceStatus=0x29fff8, lpServiceStatus=0x1cf5e8*(dwServiceType=0x10, dwCurrentState=0x3, dwControlsAccepted=0x7, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 Thread: id = 281 os_tid = 0x994 Thread: id = 282 os_tid = 0x998 Thread: id = 283 os_tid = 0x99c Thread: id = 284 os_tid = 0x9a0 [0035.321] RegisterServiceCtrlHandlerExW (lpServiceName="", lpHandlerProc=0x86eff6, lpContext=0x0) returned 0x29fff8 [0035.322] SetServiceStatus (hServiceStatus=0x29fff8, lpServiceStatus=0x151fec0*(dwServiceType=0x10, dwCurrentState=0x4, dwControlsAccepted=0x7, dwWin32ExitCode=0x0, dwServiceSpecificExitCode=0x0, dwCheckPoint=0x0, dwWaitHint=0x0)) returned 1 [0035.326] Wow64DisableWow64FsRedirection (in: OldValue=0x151feb0 | out: OldValue=0x151feb0*=0x0) returned 1 [0035.326] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xae80a8, nSize=0x200 | out: lpFilename="C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe")) returned 0x44 [0035.326] GetEnvironmentVariableW (in: lpName="COMPUTERNAME", lpBuffer=0xae7a18, nSize=0x40 | out: lpBuffer="XDUWTFONO") returned 0x9 [0035.326] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="XDUWTFONO", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.326] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="XDUWTFONO", cchWideChar=9, lpMultiByteStr=0xadc2c8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="XDUWTFONO", lpUsedDefaultChar=0x0) returned 9 [0035.326] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0035.327] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x2a1a78, lpbSaclPresent=0x151fccc, pSacl=0x151fd30, lpbSaclDefaulted=0x151fccc | out: lpbSaclPresent=0x151fccc, pSacl=0x151fd30, lpbSaclDefaulted=0x151fccc) returned 1 [0035.327] CreateEventA (lpEventAttributes=0x151fd24, bManualReset=1, bInitialState=0, lpName="") returned 0x12c [0035.327] GetLastError () returned 0x0 [0035.327] LocalFree (hMem=0x2a1a78) returned 0x0 [0035.327] CryptAcquireContextW (in: phProv=0x151fd14, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151fd14*=0x28f1e0) returned 1 [0035.328] CryptCreateHash (in: hProv=0x28f1e0, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x151fd14 | out: phHash=0x151fd14) returned 1 [0035.328] CryptHashData (hHash=0x2a3f88, pbData=0xadc238, dwDataLen=0xb, dwFlags=0x0) returned 1 [0035.328] CryptGetHashParam (in: hHash=0x2a3f88, dwParam=0x4, pbData=0x151fd18, pdwDataLen=0x151fd24, dwFlags=0x0 | out: pbData=0x151fd18, pdwDataLen=0x151fd24) returned 1 [0035.328] CryptGetHashParam (in: hHash=0x2a3f88, dwParam=0x2, pbData=0xadca60, pdwDataLen=0x151fd18, dwFlags=0x0 | out: pbData=0xadca60, pdwDataLen=0x151fd18) returned 1 [0035.328] CryptDestroyHash (hHash=0x2a3f88) returned 1 [0035.328] CryptReleaseContext (hProv=0x28f1e0, dwFlags=0x0) returned 1 [0035.328] OpenEventA (dwDesiredAccess=0x100002, bInheritHandle=0, lpName="Global\\{92EAD6E2-16CB-825D-3763-CAC9D6ED414E}") returned 0x130 [0035.328] GetLastError () returned 0x0 [0035.328] CryptAcquireContextW (in: phProv=0x151fd14, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151fd14*=0x28f1e0) returned 1 [0035.329] CryptCreateHash (in: hProv=0x28f1e0, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x151fd14 | out: phHash=0x151fd14) returned 1 [0035.329] CryptHashData (hHash=0x2a3f88, pbData=0xadc238, dwDataLen=0xb, dwFlags=0x0) returned 1 [0035.329] CryptGetHashParam (in: hHash=0x2a3f88, dwParam=0x4, pbData=0x151fd18, pdwDataLen=0x151fd24, dwFlags=0x0 | out: pbData=0x151fd18, pdwDataLen=0x151fd24) returned 1 [0035.329] CryptGetHashParam (in: hHash=0x2a3f88, dwParam=0x2, pbData=0xae8d28, pdwDataLen=0x151fd18, dwFlags=0x0 | out: pbData=0xae8d28, pdwDataLen=0x151fd18) returned 1 [0035.329] CryptDestroyHash (hHash=0x2a3f88) returned 1 [0035.329] CryptReleaseContext (hProv=0x28f1e0, dwFlags=0x0) returned 1 [0035.329] OpenMutexA (dwDesiredAccess=0x100002, bInheritHandle=0, lpName="Global\\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E}") returned 0x0 [0035.333] GetLastError () returned 0x5 [0035.333] OpenMutexA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="Global\\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E}") returned 0x0 [0035.339] OpenMutexA (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E}") returned 0x134 [0035.342] SetEvent (hEvent=0x130) returned 1 [0035.342] WaitForSingleObject (hHandle=0x134, dwMilliseconds=0xffffffff) returned 0x0 [0035.342] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x4) returned 0x2a0138 [0035.347] EnumServicesStatusExW (in: hSCManager=0x2a0138, InfoLevel=0x0, dwServiceType=0x30, dwServiceState=0x3, lpServices=0xae9a40, cbBufSize=0x40000, pcbBytesNeeded=0x151fbc0, lpServicesReturned=0x151fbb0, lpResumeHandle=0x151fbbc, pszGroupName=0x0 | out: lpServices=0xae9a40, pcbBytesNeeded=0x151fbc0, lpServicesReturned=0x151fbb0, lpResumeHandle=0x151fbbc) returned 1 [0035.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="adobeflashplayerupdatesvc", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0035.362] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="adobeflashplayerupdatesvc", cchWideChar=25, lpMultiByteStr=0xae8e48, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="adobeflashplayerupdatesvc", lpUsedDefaultChar=0x0) returned 25 [0035.362] OpenServiceW (hSCManager=0x2a0138, lpServiceName="AdobeFlashPlayerUpdateSvc", dwDesiredAccess=0x1) returned 0x2a00e8 [0035.363] QueryServiceConfigW (in: hService=0x2a00e8, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.363] GetLastError () returned 0x7a [0035.363] QueryServiceConfigW (in: hService=0x2a00e8, lpServiceConfig=0xb29a48, cbBufSize=0x146, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="flashplayerupdateservice.exe", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0035.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="flashplayerupdateservice.exe", cchWideChar=28, lpMultiByteStr=0xae8e90, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="flashplayerupdateservice.exe", lpUsedDefaultChar=0x0) returned 28 [0035.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aelookupsvc", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.364] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aelookupsvc", cchWideChar=11, lpMultiByteStr=0xae8ed8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aelookupsvc", lpUsedDefaultChar=0x0) returned 11 [0035.364] OpenServiceW (hSCManager=0x2a0138, lpServiceName="AeLookupSvc", dwDesiredAccess=0x1) returned 0x290828 [0035.364] CloseServiceHandle (hSCObject=0x2a00e8) returned 1 [0035.364] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.365] GetLastError () returned 0x7a [0035.365] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x106, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.365] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae8f20, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.366] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg", cchWideChar=3, lpMultiByteStr=0xae8f20, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="alg", lpUsedDefaultChar=0x0) returned 3 [0035.366] OpenServiceW (hSCManager=0x2a0138, lpServiceName="ALG", dwDesiredAccess=0x1) returned 0x2907b0 [0035.366] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.366] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.367] GetLastError () returned 0x7a [0035.367] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x11a, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg.exe", cchWideChar=7, lpMultiByteStr=0xae8f68, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="alg.exe", lpUsedDefaultChar=0x0) returned 7 [0035.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appidsvc", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.367] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appidsvc", cchWideChar=8, lpMultiByteStr=0xae8f68, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="appidsvc", lpUsedDefaultChar=0x0) returned 8 [0035.367] OpenServiceW (hSCManager=0x2a0138, lpServiceName="AppIDSvc", dwDesiredAccess=0x1) returned 0x290878 [0035.368] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.368] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.368] GetLastError () returned 0x7a [0035.368] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x18e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae8fb0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appinfo", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.369] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appinfo", cchWideChar=7, lpMultiByteStr=0xae8fb0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="appinfo", lpUsedDefaultChar=0x0) returned 7 [0035.369] OpenServiceW (hSCManager=0x2a0138, lpServiceName="Appinfo", dwDesiredAccess=0x1) returned 0x2908a0 [0035.369] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.370] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.370] GetLastError () returned 0x7a [0035.370] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x122, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae8ff8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appmgmt", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.371] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="appmgmt", cchWideChar=7, lpMultiByteStr=0xae8ff8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="appmgmt", lpUsedDefaultChar=0x0) returned 7 [0035.371] OpenServiceW (hSCManager=0x2a0138, lpServiceName="AppMgmt", dwDesiredAccess=0x1) returned 0x290828 [0035.371] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.371] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.372] GetLastError () returned 0x7a [0035.372] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x106, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.372] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9040, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aspnet_state", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.373] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aspnet_state", cchWideChar=12, lpMultiByteStr=0xae9040, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aspnet_state", lpUsedDefaultChar=0x0) returned 12 [0035.373] OpenServiceW (hSCManager=0x2a0138, lpServiceName="aspnet_state", dwDesiredAccess=0x1) returned 0x2907b0 [0035.373] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.373] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.374] GetLastError () returned 0x7a [0035.374] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x150, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aspnet_state.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aspnet_state.exe", cchWideChar=16, lpMultiByteStr=0xae9088, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aspnet_state.exe", lpUsedDefaultChar=0x0) returned 16 [0035.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audioendpointbuilder", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0035.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audioendpointbuilder", cchWideChar=20, lpMultiByteStr=0xae9088, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audioendpointbuilder", lpUsedDefaultChar=0x0) returned 20 [0035.375] OpenServiceW (hSCManager=0x2a0138, lpServiceName="AudioEndpointBuilder", dwDesiredAccess=0x1) returned 0x290878 [0035.375] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.375] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.376] GetLastError () returned 0x7a [0035.376] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x164, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae90d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiosrv", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.376] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiosrv", cchWideChar=8, lpMultiByteStr=0xae90d0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audiosrv", lpUsedDefaultChar=0x0) returned 8 [0035.376] OpenServiceW (hSCManager=0x2a0138, lpServiceName="AudioSrv", dwDesiredAccess=0x1) returned 0x2908a0 [0035.377] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.377] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.377] GetLastError () returned 0x7a [0035.377] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x190, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9118, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="axinstsv", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.378] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="axinstsv", cchWideChar=8, lpMultiByteStr=0xae9118, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="axinstsv", lpUsedDefaultChar=0x0) returned 8 [0035.378] OpenServiceW (hSCManager=0x2a0138, lpServiceName="AxInstSV", dwDesiredAccess=0x1) returned 0x290828 [0035.378] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.379] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.379] GetLastError () returned 0x7a [0035.379] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x128, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9160, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bdesvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.380] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bdesvc", cchWideChar=6, lpMultiByteStr=0xae9160, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bdesvc", lpUsedDefaultChar=0x0) returned 6 [0035.380] OpenServiceW (hSCManager=0x2a0138, lpServiceName="BDESVC", dwDesiredAccess=0x1) returned 0x2907b0 [0035.380] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.380] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.381] GetLastError () returned 0x7a [0035.381] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x11e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.381] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae91a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bfe", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.382] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bfe", cchWideChar=3, lpMultiByteStr=0xae91a8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bfe", lpUsedDefaultChar=0x0) returned 3 [0035.382] OpenServiceW (hSCManager=0x2a0138, lpServiceName="BFE", dwDesiredAccess=0x1) returned 0x290878 [0035.382] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.382] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.383] GetLastError () returned 0x7a [0035.383] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x164, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae91f0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bits", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0035.383] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bits", cchWideChar=4, lpMultiByteStr=0xae91f0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bits", lpUsedDefaultChar=0x0) returned 4 [0035.384] OpenServiceW (hSCManager=0x2a0138, lpServiceName="BITS", dwDesiredAccess=0x1) returned 0x2908a0 [0035.384] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.384] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.384] GetLastError () returned 0x7a [0035.384] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x14a, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.385] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.385] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9238, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.385] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="browser", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.385] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="browser", cchWideChar=7, lpMultiByteStr=0xae9238, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="browser", lpUsedDefaultChar=0x0) returned 7 [0035.385] OpenServiceW (hSCManager=0x2a0138, lpServiceName="Browser", dwDesiredAccess=0x1) returned 0x290828 [0035.385] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.386] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.386] GetLastError () returned 0x7a [0035.386] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x154, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.386] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.386] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9280, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.386] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bthserv", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.387] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bthserv", cchWideChar=7, lpMultiByteStr=0xae9280, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bthserv", lpUsedDefaultChar=0x0) returned 7 [0035.387] OpenServiceW (hSCManager=0x2a0138, lpServiceName="bthserv", dwDesiredAccess=0x1) returned 0x2907b0 [0035.387] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.387] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.387] GetLastError () returned 0x7a [0035.387] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x132, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.388] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.388] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae92c8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.388] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="certpropsvc", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.388] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="certpropsvc", cchWideChar=11, lpMultiByteStr=0xae92c8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="certpropsvc", lpUsedDefaultChar=0x0) returned 11 [0035.388] OpenServiceW (hSCManager=0x2a0138, lpServiceName="CertPropSvc", dwDesiredAccess=0x1) returned 0x290878 [0035.388] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.388] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.389] GetLastError () returned 0x7a [0035.389] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x112, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.389] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.389] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9310, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.389] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v2.0.50727_32", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0035.389] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v2.0.50727_32", cchWideChar=30, lpMultiByteStr=0xae9310, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clr_optimization_v2.0.50727_32", lpUsedDefaultChar=0x0) returned 30 [0035.389] OpenServiceW (hSCManager=0x2a0138, lpServiceName="clr_optimization_v2.0.50727_32", dwDesiredAccess=0x1) returned 0x2908a0 [0035.390] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.390] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.390] GetLastError () returned 0x7a [0035.390] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x152, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.390] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mscorsvw.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.391] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mscorsvw.exe", cchWideChar=12, lpMultiByteStr=0xae9358, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscorsvw.exe", lpUsedDefaultChar=0x0) returned 12 [0035.391] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v2.0.50727_64", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0035.391] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v2.0.50727_64", cchWideChar=30, lpMultiByteStr=0xae9310, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clr_optimization_v2.0.50727_64", lpUsedDefaultChar=0x0) returned 30 [0035.391] OpenServiceW (hSCManager=0x2a0138, lpServiceName="clr_optimization_v2.0.50727_64", dwDesiredAccess=0x1) returned 0x290828 [0035.391] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.391] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.391] GetLastError () returned 0x7a [0035.391] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x156, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mscorsvw.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mscorsvw.exe", cchWideChar=12, lpMultiByteStr=0xae9358, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscorsvw.exe", lpUsedDefaultChar=0x0) returned 12 [0035.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v4.0.30319_32", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0035.392] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v4.0.30319_32", cchWideChar=30, lpMultiByteStr=0xae9358, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clr_optimization_v4.0.30319_32", lpUsedDefaultChar=0x0) returned 30 [0035.392] OpenServiceW (hSCManager=0x2a0138, lpServiceName="clr_optimization_v4.0.30319_32", dwDesiredAccess=0x1) returned 0x2907b0 [0035.392] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.392] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.393] GetLastError () returned 0x7a [0035.393] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x152, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mscorsvw.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mscorsvw.exe", cchWideChar=12, lpMultiByteStr=0xae93a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscorsvw.exe", lpUsedDefaultChar=0x0) returned 12 [0035.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v4.0.30319_64", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0035.393] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clr_optimization_v4.0.30319_64", cchWideChar=30, lpMultiByteStr=0xae93a0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clr_optimization_v4.0.30319_64", lpUsedDefaultChar=0x0) returned 30 [0035.393] OpenServiceW (hSCManager=0x2a0138, lpServiceName="clr_optimization_v4.0.30319_64", dwDesiredAccess=0x1) returned 0x290878 [0035.394] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.394] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.394] GetLastError () returned 0x7a [0035.394] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x156, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mscorsvw.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mscorsvw.exe", cchWideChar=12, lpMultiByteStr=0xae93e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mscorsvw.exe", lpUsedDefaultChar=0x0) returned 12 [0035.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="comsysapp", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.395] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="comsysapp", cchWideChar=9, lpMultiByteStr=0xae93e8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="comsysapp", lpUsedDefaultChar=0x0) returned 9 [0035.395] OpenServiceW (hSCManager=0x2a0138, lpServiceName="COMSysApp", dwDesiredAccess=0x1) returned 0x2908a0 [0035.397] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.397] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.398] GetLastError () returned 0x7a [0035.398] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x182, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dllhost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dllhost.exe", cchWideChar=11, lpMultiByteStr=0xae9430, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dllhost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cryptsvc", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.398] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cryptsvc", cchWideChar=8, lpMultiByteStr=0xae9430, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cryptsvc", lpUsedDefaultChar=0x0) returned 8 [0035.398] OpenServiceW (hSCManager=0x2a0138, lpServiceName="CryptSvc", dwDesiredAccess=0x1) returned 0x290828 [0035.399] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.399] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.399] GetLastError () returned 0x7a [0035.399] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x13e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9478, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cscservice", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.400] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cscservice", cchWideChar=10, lpMultiByteStr=0xae9478, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cscservice", lpUsedDefaultChar=0x0) returned 10 [0035.400] OpenServiceW (hSCManager=0x2a0138, lpServiceName="CscService", dwDesiredAccess=0x1) returned 0x2907b0 [0035.400] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.400] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.400] GetLastError () returned 0x7a [0035.400] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x142, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae94c0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dcomlaunch", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dcomlaunch", cchWideChar=10, lpMultiByteStr=0xae94c0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dcomlaunch", lpUsedDefaultChar=0x0) returned 10 [0035.401] OpenServiceW (hSCManager=0x2a0138, lpServiceName="DcomLaunch", dwDesiredAccess=0x1) returned 0x290878 [0035.401] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.401] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.402] GetLastError () returned 0x7a [0035.402] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x13c, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9508, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="defragsvc", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.402] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="defragsvc", cchWideChar=9, lpMultiByteStr=0xae9508, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="defragsvc", lpUsedDefaultChar=0x0) returned 9 [0035.402] OpenServiceW (hSCManager=0x2a0138, lpServiceName="defragsvc", dwDesiredAccess=0x1) returned 0x2908a0 [0035.403] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.403] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.403] GetLastError () returned 0x7a [0035.404] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x10a, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9550, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dhcp", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0035.404] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dhcp", cchWideChar=4, lpMultiByteStr=0xae9550, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dhcp", lpUsedDefaultChar=0x0) returned 4 [0035.404] OpenServiceW (hSCManager=0x2a0138, lpServiceName="Dhcp", dwDesiredAccess=0x1) returned 0x290828 [0035.405] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.405] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.405] GetLastError () returned 0x7a [0035.405] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x154, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.406] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.406] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9598, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.406] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dnscache", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.406] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dnscache", cchWideChar=8, lpMultiByteStr=0xae9598, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dnscache", lpUsedDefaultChar=0x0) returned 8 [0035.406] OpenServiceW (hSCManager=0x2a0138, lpServiceName="Dnscache", dwDesiredAccess=0x1) returned 0x2907b0 [0035.406] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.406] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.407] GetLastError () returned 0x7a [0035.407] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x130, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.626] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.626] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae95e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.626] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dot3svc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.626] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dot3svc", cchWideChar=7, lpMultiByteStr=0xae95e0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dot3svc", lpUsedDefaultChar=0x0) returned 7 [0035.626] OpenServiceW (hSCManager=0x2a0138, lpServiceName="dot3svc", dwDesiredAccess=0x1) returned 0x290878 [0035.627] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.627] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.627] GetLastError () returned 0x7a [0035.627] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x154, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.628] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.628] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9628, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.628] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dps", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.628] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dps", cchWideChar=3, lpMultiByteStr=0xae9628, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dps", lpUsedDefaultChar=0x0) returned 3 [0035.628] OpenServiceW (hSCManager=0x2a0138, lpServiceName="DPS", dwDesiredAccess=0x1) returned 0x2908a0 [0035.628] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.628] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.629] GetLastError () returned 0x7a [0035.629] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x144, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.629] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.629] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9670, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.629] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eaphost", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.629] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eaphost", cchWideChar=7, lpMultiByteStr=0xae9670, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eaphost", lpUsedDefaultChar=0x0) returned 7 [0035.629] OpenServiceW (hSCManager=0x2a0138, lpServiceName="EapHost", dwDesiredAccess=0x1) returned 0x290828 [0035.629] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.630] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.630] GetLastError () returned 0x7a [0035.630] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x136, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.630] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.630] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae96b8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.630] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="efs", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.631] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="efs", cchWideChar=3, lpMultiByteStr=0xae96b8, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="efs", lpUsedDefaultChar=0x0) returned 3 [0035.631] OpenServiceW (hSCManager=0x2a0138, lpServiceName="EFS", dwDesiredAccess=0x1) returned 0x2907b0 [0035.631] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.631] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.631] GetLastError () returned 0x7a [0035.631] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x102, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.632] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.632] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0xae9700, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 9 [0035.632] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehrecvr", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.632] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehrecvr", cchWideChar=7, lpMultiByteStr=0xae9700, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ehrecvr", lpUsedDefaultChar=0x0) returned 7 [0035.632] OpenServiceW (hSCManager=0x2a0138, lpServiceName="ehRecvr", dwDesiredAccess=0x1) returned 0x290878 [0035.632] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.632] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.633] GetLastError () returned 0x7a [0035.633] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x132, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.633] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehrecvr.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.633] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehrecvr.exe", cchWideChar=11, lpMultiByteStr=0xae9748, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ehrecvr.exe", lpUsedDefaultChar=0x0) returned 11 [0035.633] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehsched", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.633] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehsched", cchWideChar=7, lpMultiByteStr=0xae9748, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ehsched", lpUsedDefaultChar=0x0) returned 7 [0035.633] OpenServiceW (hSCManager=0x2a0138, lpServiceName="ehSched", dwDesiredAccess=0x1) returned 0x2908a0 [0035.634] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.634] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.634] GetLastError () returned 0x7a [0035.634] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x134, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.635] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehsched.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.635] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ehsched.exe", cchWideChar=11, lpMultiByteStr=0xae9790, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ehsched.exe", lpUsedDefaultChar=0x0) returned 11 [0035.635] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventlog", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.635] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventlog", cchWideChar=8, lpMultiByteStr=0xae9790, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eventlog", lpUsedDefaultChar=0x0) returned 8 [0035.635] OpenServiceW (hSCManager=0x2a0138, lpServiceName="eventlog", dwDesiredAccess=0x1) returned 0x290828 [0035.635] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.635] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.636] GetLastError () returned 0x7a [0035.636] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x156, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.636] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.636] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae97d8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.636] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventsystem", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.636] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventsystem", cchWideChar=11, lpMultiByteStr=0xae97d8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eventsystem", lpUsedDefaultChar=0x0) returned 11 [0035.636] OpenServiceW (hSCManager=0x2a0138, lpServiceName="EventSystem", dwDesiredAccess=0x1) returned 0x2907b0 [0035.636] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.637] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.637] GetLastError () returned 0x7a [0035.637] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x12c, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.637] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.637] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9820, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.637] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fax", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.637] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fax", cchWideChar=3, lpMultiByteStr=0xae9820, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fax", lpUsedDefaultChar=0x0) returned 3 [0035.638] OpenServiceW (hSCManager=0x2a0138, lpServiceName="Fax", dwDesiredAccess=0x1) returned 0x290878 [0035.638] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.638] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.638] GetLastError () returned 0x7a [0035.638] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x124, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.639] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fxssvc.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.639] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fxssvc.exe", cchWideChar=10, lpMultiByteStr=0xae9868, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fxssvc.exe", lpUsedDefaultChar=0x0) returned 10 [0035.639] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fdphost", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.639] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fdphost", cchWideChar=7, lpMultiByteStr=0xae9868, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fdphost", lpUsedDefaultChar=0x0) returned 7 [0035.639] OpenServiceW (hSCManager=0x2a0138, lpServiceName="fdPHost", dwDesiredAccess=0x1) returned 0x2908a0 [0035.639] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.639] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.640] GetLastError () returned 0x7a [0035.640] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x154, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.640] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.640] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae98b0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.640] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fdrespub", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.640] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fdrespub", cchWideChar=8, lpMultiByteStr=0xae98b0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fdrespub", lpUsedDefaultChar=0x0) returned 8 [0035.640] OpenServiceW (hSCManager=0x2a0138, lpServiceName="FDResPub", dwDesiredAccess=0x1) returned 0x290828 [0035.641] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.641] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.641] GetLastError () returned 0x7a [0035.641] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x186, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.642] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.642] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae98f8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.642] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fontcache", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.642] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fontcache", cchWideChar=9, lpMultiByteStr=0xae98f8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fontcache", lpUsedDefaultChar=0x0) returned 9 [0035.642] OpenServiceW (hSCManager=0x2a0138, lpServiceName="FontCache", dwDesiredAccess=0x1) returned 0x2907b0 [0035.642] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.642] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.643] GetLastError () returned 0x7a [0035.643] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x158, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.643] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.643] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.643] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fontcache3.0.0.0", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.643] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fontcache3.0.0.0", cchWideChar=16, lpMultiByteStr=0xae9940, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fontcache3.0.0.0", lpUsedDefaultChar=0x0) returned 16 [0035.643] OpenServiceW (hSCManager=0x2a0138, lpServiceName="FontCache3.0.0.0", dwDesiredAccess=0x1) returned 0x290878 [0035.643] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.644] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.644] GetLastError () returned 0x7a [0035.644] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x194, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.644] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="presentationfontcache.exe", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0035.644] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="presentationfontcache.exe", cchWideChar=25, lpMultiByteStr=0xae9988, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="presentationfontcache.exe", lpUsedDefaultChar=0x0) returned 25 [0035.644] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gpsvc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.644] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gpsvc", cchWideChar=5, lpMultiByteStr=0xae9988, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gpsvc", lpUsedDefaultChar=0x0) returned 5 [0035.644] OpenServiceW (hSCManager=0x2a0138, lpServiceName="gpsvc", dwDesiredAccess=0x1) returned 0x2908a0 [0035.645] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.645] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.645] GetLastError () returned 0x7a [0035.645] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x12c, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.646] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.646] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae99d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.646] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gupdate", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.646] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gupdate", cchWideChar=7, lpMultiByteStr=0xae99d0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gupdate", lpUsedDefaultChar=0x0) returned 7 [0035.646] OpenServiceW (hSCManager=0x2a0138, lpServiceName="gupdate", dwDesiredAccess=0x1) returned 0x290828 [0035.646] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.646] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.647] GetLastError () returned 0x7a [0035.647] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x146, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.647] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="googleupdate.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.647] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="googleupdate.exe", cchWideChar=16, lpMultiByteStr=0xadca60, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="googleupdate.exe", lpUsedDefaultChar=0x0) returned 16 [0035.647] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gupdatem", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.647] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gupdatem", cchWideChar=8, lpMultiByteStr=0xadca60, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gupdatem", lpUsedDefaultChar=0x0) returned 8 [0035.647] OpenServiceW (hSCManager=0x2a0138, lpServiceName="gupdatem", dwDesiredAccess=0x1) returned 0x2907b0 [0035.648] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.648] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.648] GetLastError () returned 0x7a [0035.648] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x14e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.649] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="googleupdate.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.649] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="googleupdate.exe", cchWideChar=16, lpMultiByteStr=0xadca60, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="googleupdate.exe", lpUsedDefaultChar=0x0) returned 16 [0035.649] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hidserv", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.649] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hidserv", cchWideChar=7, lpMultiByteStr=0xae6790, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hidserv", lpUsedDefaultChar=0x0) returned 7 [0035.649] OpenServiceW (hSCManager=0x2a0138, lpServiceName="hidserv", dwDesiredAccess=0x1) returned 0x290878 [0035.649] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.649] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.650] GetLastError () returned 0x7a [0035.650] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x13e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.650] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.650] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae6790, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.650] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hkmsvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.650] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hkmsvc", cchWideChar=6, lpMultiByteStr=0xae67d8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hkmsvc", lpUsedDefaultChar=0x0) returned 6 [0035.650] OpenServiceW (hSCManager=0x2a0138, lpServiceName="hkmsvc", dwDesiredAccess=0x1) returned 0x2908a0 [0035.650] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.651] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.651] GetLastError () returned 0x7a [0035.651] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x12e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.651] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.651] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae6820, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.651] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegrouplistener", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0035.652] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegrouplistener", cchWideChar=17, lpMultiByteStr=0xae6820, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="homegrouplistener", lpUsedDefaultChar=0x0) returned 17 [0035.652] OpenServiceW (hSCManager=0x2a0138, lpServiceName="HomeGroupListener", dwDesiredAccess=0x1) returned 0x290828 [0035.652] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.652] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.652] GetLastError () returned 0x7a [0035.652] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x140, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.653] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.653] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae6868, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.653] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegroupprovider", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0035.653] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="homegroupprovider", cchWideChar=17, lpMultiByteStr=0xae6868, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="homegroupprovider", lpUsedDefaultChar=0x0) returned 17 [0035.653] OpenServiceW (hSCManager=0x2a0138, lpServiceName="HomeGroupProvider", dwDesiredAccess=0x1) returned 0x2907b0 [0035.653] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.654] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.654] GetLastError () returned 0x7a [0035.654] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x178, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.654] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.654] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae68b0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.654] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="idsvc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.654] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="idsvc", cchWideChar=5, lpMultiByteStr=0xae68b0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="idsvc", lpUsedDefaultChar=0x0) returned 5 [0035.654] OpenServiceW (hSCManager=0x2a0138, lpServiceName="idsvc", dwDesiredAccess=0x1) returned 0x290878 [0035.655] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.655] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.655] GetLastError () returned 0x7a [0035.655] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x15a, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.656] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="infocard.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.656] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="infocard.exe", cchWideChar=12, lpMultiByteStr=0xae68f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="infocard.exe", lpUsedDefaultChar=0x0) returned 12 [0035.656] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ikeext", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.656] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ikeext", cchWideChar=6, lpMultiByteStr=0xae68f8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ikeext", lpUsedDefaultChar=0x0) returned 6 [0035.656] OpenServiceW (hSCManager=0x2a0138, lpServiceName="IKEEXT", dwDesiredAccess=0x1) returned 0x2908a0 [0035.656] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.656] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.657] GetLastError () returned 0x7a [0035.657] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x126, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae6940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ipbusenum", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ipbusenum", cchWideChar=9, lpMultiByteStr=0xae6940, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ipbusenum", lpUsedDefaultChar=0x0) returned 9 [0035.657] OpenServiceW (hSCManager=0x2a0138, lpServiceName="IPBusEnum", dwDesiredAccess=0x1) returned 0x290828 [0035.657] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.658] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.658] GetLastError () returned 0x7a [0035.658] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x14c, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae6988, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iphlpsvc", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iphlpsvc", cchWideChar=8, lpMultiByteStr=0xae6988, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iphlpsvc", lpUsedDefaultChar=0x0) returned 8 [0035.659] OpenServiceW (hSCManager=0x2a0138, lpServiceName="iphlpsvc", dwDesiredAccess=0x1) returned 0x2907b0 [0035.659] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.659] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.659] GetLastError () returned 0x7a [0035.659] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x122, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae69d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="keyiso", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="keyiso", cchWideChar=6, lpMultiByteStr=0xae69d0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="keyiso", lpUsedDefaultChar=0x0) returned 6 [0035.660] OpenServiceW (hSCManager=0x2a0138, lpServiceName="KeyIso", dwDesiredAccess=0x1) returned 0x290878 [0035.660] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.660] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.661] GetLastError () returned 0x7a [0035.661] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0xec, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0xae6a18, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 9 [0035.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ktmrm", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ktmrm", cchWideChar=5, lpMultiByteStr=0xae6a18, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ktmrm", lpUsedDefaultChar=0x0) returned 5 [0035.661] OpenServiceW (hSCManager=0x2a0138, lpServiceName="KtmRm", dwDesiredAccess=0x1) returned 0x2908a0 [0035.662] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.662] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.662] GetLastError () returned 0x7a [0035.662] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x19c, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.663] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.663] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae6a60, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.663] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lanmanserver", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.663] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lanmanserver", cchWideChar=12, lpMultiByteStr=0xae6a60, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lanmanserver", lpUsedDefaultChar=0x0) returned 12 [0035.663] OpenServiceW (hSCManager=0x2a0138, lpServiceName="LanmanServer", dwDesiredAccess=0x1) returned 0x290828 [0035.663] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.663] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.664] GetLastError () returned 0x7a [0035.664] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0xf8, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.664] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.664] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae6aa8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.664] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lanmanworkstation", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0035.664] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lanmanworkstation", cchWideChar=17, lpMultiByteStr=0xae6aa8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lanmanworkstation", lpUsedDefaultChar=0x0) returned 17 [0035.664] OpenServiceW (hSCManager=0x2a0138, lpServiceName="LanmanWorkstation", dwDesiredAccess=0x1) returned 0x2907b0 [0035.664] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.665] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.665] GetLastError () returned 0x7a [0035.665] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x174, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.665] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.665] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae6af0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.666] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lltdsvc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.666] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lltdsvc", cchWideChar=7, lpMultiByteStr=0xae6af0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lltdsvc", lpUsedDefaultChar=0x0) returned 7 [0035.666] OpenServiceW (hSCManager=0x2a0138, lpServiceName="lltdsvc", dwDesiredAccess=0x1) returned 0x290878 [0035.666] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.666] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.666] GetLastError () returned 0x7a [0035.666] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x160, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.667] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.667] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae6b38, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.667] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lmhosts", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.667] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lmhosts", cchWideChar=7, lpMultiByteStr=0xae6b38, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lmhosts", lpUsedDefaultChar=0x0) returned 7 [0035.667] OpenServiceW (hSCManager=0x2a0138, lpServiceName="lmhosts", dwDesiredAccess=0x1) returned 0x2908a0 [0035.667] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.667] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.668] GetLastError () returned 0x7a [0035.668] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x164, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.668] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.668] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae6b80, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.668] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mcx2svc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.668] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mcx2svc", cchWideChar=7, lpMultiByteStr=0xae6b80, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mcx2svc", lpUsedDefaultChar=0x0) returned 7 [0035.668] OpenServiceW (hSCManager=0x2a0138, lpServiceName="Mcx2Svc", dwDesiredAccess=0x1) returned 0x290828 [0035.669] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.669] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.670] GetLastError () returned 0x7a [0035.670] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x1a8, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.670] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.670] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae6bc8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.670] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft sharepoint workspace audit service", cchWideChar=44, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 44 [0035.670] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft sharepoint workspace audit service", cchWideChar=44, lpMultiByteStr=0xae6bc8, cbMultiByte=44, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft sharepoint workspace audit service", lpUsedDefaultChar=0x0) returned 44 [0035.670] OpenServiceW (hSCManager=0x2a0138, lpServiceName="Microsoft SharePoint Workspace Audit Service", dwDesiredAccess=0x1) returned 0x2907b0 [0035.670] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.671] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.671] GetLastError () returned 0x7a [0035.671] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x184, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.672] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="groove.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.672] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="groove.exe", cchWideChar=10, lpMultiByteStr=0xae6c10, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="groove.exe", lpUsedDefaultChar=0x0) returned 10 [0035.672] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmcss", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.672] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mmcss", cchWideChar=5, lpMultiByteStr=0xae6c10, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mmcss", lpUsedDefaultChar=0x0) returned 5 [0035.672] OpenServiceW (hSCManager=0x2a0138, lpServiceName="MMCSS", dwDesiredAccess=0x1) returned 0x290878 [0035.672] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.672] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.673] GetLastError () returned 0x7a [0035.673] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x10e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.673] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.673] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae6c58, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.673] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mozillamaintenance", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0035.673] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mozillamaintenance", cchWideChar=18, lpMultiByteStr=0xae6c58, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mozillamaintenance", lpUsedDefaultChar=0x0) returned 18 [0035.673] OpenServiceW (hSCManager=0x2a0138, lpServiceName="MozillaMaintenance", dwDesiredAccess=0x1) returned 0x2908a0 [0035.673] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.674] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.674] GetLastError () returned 0x7a [0035.674] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x152, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.674] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="maintenanceservice.exe", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0035.674] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="maintenanceservice.exe", cchWideChar=22, lpMultiByteStr=0xae6ca0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="maintenanceservice.exe", lpUsedDefaultChar=0x0) returned 22 [0035.674] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mpssvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.674] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mpssvc", cchWideChar=6, lpMultiByteStr=0xae6ca0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mpssvc", lpUsedDefaultChar=0x0) returned 6 [0035.674] OpenServiceW (hSCManager=0x2a0138, lpServiceName="MpsSvc", dwDesiredAccess=0x1) returned 0x290828 [0035.675] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.675] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.675] GetLastError () returned 0x7a [0035.675] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x164, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.676] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.676] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae6ce8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.676] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.676] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc", cchWideChar=5, lpMultiByteStr=0xae6ce8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdtc", lpUsedDefaultChar=0x0) returned 5 [0035.676] OpenServiceW (hSCManager=0x2a0138, lpServiceName="MSDTC", dwDesiredAccess=0x1) returned 0x2907b0 [0035.676] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.676] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.677] GetLastError () returned 0x7a [0035.677] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x13c, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.677] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.677] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msdtc.exe", cchWideChar=9, lpMultiByteStr=0xae6d30, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msdtc.exe", lpUsedDefaultChar=0x0) returned 9 [0035.677] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msiscsi", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.677] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msiscsi", cchWideChar=7, lpMultiByteStr=0xae6d30, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msiscsi", lpUsedDefaultChar=0x0) returned 7 [0035.677] OpenServiceW (hSCManager=0x2a0138, lpServiceName="MSiSCSI", dwDesiredAccess=0x1) returned 0x290878 [0035.678] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.678] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.678] GetLastError () returned 0x7a [0035.678] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x126, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.679] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.679] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae6d78, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.679] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msiserver", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.679] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msiserver", cchWideChar=9, lpMultiByteStr=0xae6d78, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msiserver", lpUsedDefaultChar=0x0) returned 9 [0035.679] OpenServiceW (hSCManager=0x2a0138, lpServiceName="msiserver", dwDesiredAccess=0x1) returned 0x2908a0 [0035.679] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.679] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.679] GetLastError () returned 0x7a [0035.680] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0xf6, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.680] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msiexec.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.680] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="msiexec.exe", cchWideChar=11, lpMultiByteStr=0xae6dc0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="msiexec.exe", lpUsedDefaultChar=0x0) returned 11 [0035.680] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="napagent", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.680] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="napagent", cchWideChar=8, lpMultiByteStr=0xae6dc0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="napagent", lpUsedDefaultChar=0x0) returned 8 [0035.680] OpenServiceW (hSCManager=0x2a0138, lpServiceName="napagent", dwDesiredAccess=0x1) returned 0x290828 [0035.680] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.681] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.681] GetLastError () returned 0x7a [0035.681] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x150, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.681] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.681] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae6e08, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.681] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netlogon", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.681] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netlogon", cchWideChar=8, lpMultiByteStr=0xae6e08, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netlogon", lpUsedDefaultChar=0x0) returned 8 [0035.681] OpenServiceW (hSCManager=0x2a0138, lpServiceName="Netlogon", dwDesiredAccess=0x1) returned 0x2907b0 [0035.682] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.682] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.682] GetLastError () returned 0x7a [0035.682] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x126, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.683] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.683] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0xae6e50, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 9 [0035.683] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netman", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.683] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netman", cchWideChar=6, lpMultiByteStr=0xae6e50, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netman", lpUsedDefaultChar=0x0) returned 6 [0035.683] OpenServiceW (hSCManager=0x2a0138, lpServiceName="Netman", dwDesiredAccess=0x1) returned 0x290878 [0035.684] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.684] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.685] GetLastError () returned 0x7a [0035.685] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x13c, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.685] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.686] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae6e98, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.686] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netmsmqactivator", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.686] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netmsmqactivator", cchWideChar=16, lpMultiByteStr=0xae6e98, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netmsmqactivator", lpUsedDefaultChar=0x0) returned 16 [0035.686] OpenServiceW (hSCManager=0x2a0138, lpServiceName="NetMsmqActivator", dwDesiredAccess=0x1) returned 0x2908a0 [0035.688] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.689] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.689] GetLastError () returned 0x7a [0035.689] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x18a, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.690] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smsvchost.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0035.690] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smsvchost.exe", cchWideChar=13, lpMultiByteStr=0xae6ee0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smsvchost.exe", lpUsedDefaultChar=0x0) returned 13 [0035.690] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netpipeactivator", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.690] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netpipeactivator", cchWideChar=16, lpMultiByteStr=0xae6ee0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netpipeactivator", lpUsedDefaultChar=0x0) returned 16 [0035.690] OpenServiceW (hSCManager=0x2a0138, lpServiceName="NetPipeActivator", dwDesiredAccess=0x1) returned 0x290828 [0035.690] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.690] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.691] GetLastError () returned 0x7a [0035.691] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x154, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.691] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smsvchost.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0035.691] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smsvchost.exe", cchWideChar=13, lpMultiByteStr=0xae6f28, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smsvchost.exe", lpUsedDefaultChar=0x0) returned 13 [0035.691] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netprofm", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.691] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="netprofm", cchWideChar=8, lpMultiByteStr=0xae6f28, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="netprofm", lpUsedDefaultChar=0x0) returned 8 [0035.691] OpenServiceW (hSCManager=0x2a0138, lpServiceName="netprofm", dwDesiredAccess=0x1) returned 0x2907b0 [0035.692] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.692] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.692] GetLastError () returned 0x7a [0035.692] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x140, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.693] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.693] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae6f70, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.693] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nettcpactivator", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.693] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nettcpactivator", cchWideChar=15, lpMultiByteStr=0xae6f70, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nettcpactivator", lpUsedDefaultChar=0x0) returned 15 [0035.693] OpenServiceW (hSCManager=0x2a0138, lpServiceName="NetTcpActivator", dwDesiredAccess=0x1) returned 0x290878 [0035.693] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.693] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.694] GetLastError () returned 0x7a [0035.694] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x176, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.694] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smsvchost.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0035.694] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smsvchost.exe", cchWideChar=13, lpMultiByteStr=0xae6fb8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smsvchost.exe", lpUsedDefaultChar=0x0) returned 13 [0035.694] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nettcpportsharing", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0035.694] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nettcpportsharing", cchWideChar=17, lpMultiByteStr=0xae6fb8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nettcpportsharing", lpUsedDefaultChar=0x0) returned 17 [0035.694] OpenServiceW (hSCManager=0x2a0138, lpServiceName="NetTcpPortSharing", dwDesiredAccess=0x1) returned 0x2908a0 [0035.695] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.695] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.695] GetLastError () returned 0x7a [0035.695] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x154, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.696] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smsvchost.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0035.696] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smsvchost.exe", cchWideChar=13, lpMultiByteStr=0xae7000, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smsvchost.exe", lpUsedDefaultChar=0x0) returned 13 [0035.696] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nlasvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.696] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nlasvc", cchWideChar=6, lpMultiByteStr=0xae7000, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nlasvc", lpUsedDefaultChar=0x0) returned 6 [0035.696] OpenServiceW (hSCManager=0x2a0138, lpServiceName="NlaSvc", dwDesiredAccess=0x1) returned 0x290828 [0035.696] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.696] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.696] GetLastError () returned 0x7a [0035.697] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x15a, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.697] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.697] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae7048, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.697] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nsi", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.697] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="nsi", cchWideChar=3, lpMultiByteStr=0xae7048, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="nsi", lpUsedDefaultChar=0x0) returned 3 [0035.697] OpenServiceW (hSCManager=0x2a0138, lpServiceName="nsi", dwDesiredAccess=0x1) returned 0x2907b0 [0035.697] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.698] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.698] GetLastError () returned 0x7a [0035.698] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x14e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.698] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.698] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae7090, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.698] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ose64", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.699] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ose64", cchWideChar=5, lpMultiByteStr=0xae7090, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ose64", lpUsedDefaultChar=0x0) returned 5 [0035.699] OpenServiceW (hSCManager=0x2a0138, lpServiceName="ose64", dwDesiredAccess=0x1) returned 0x290878 [0035.699] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.699] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.699] GetLastError () returned 0x7a [0035.699] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x140, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.700] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ose.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.700] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ose.exe", cchWideChar=7, lpMultiByteStr=0xae70d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ose.exe", lpUsedDefaultChar=0x0) returned 7 [0035.700] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="osppsvc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.700] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="osppsvc", cchWideChar=7, lpMultiByteStr=0xae70d8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="osppsvc", lpUsedDefaultChar=0x0) returned 7 [0035.700] OpenServiceW (hSCManager=0x2a0138, lpServiceName="osppsvc", dwDesiredAccess=0x1) returned 0x2908a0 [0035.700] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.700] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.701] GetLastError () returned 0x7a [0035.701] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x1b0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.701] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="osppsvc.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.701] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="osppsvc.exe", cchWideChar=11, lpMultiByteStr=0xae7120, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="osppsvc.exe", lpUsedDefaultChar=0x0) returned 11 [0035.701] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="p2pimsvc", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.701] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="p2pimsvc", cchWideChar=8, lpMultiByteStr=0xae7120, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="p2pimsvc", lpUsedDefaultChar=0x0) returned 8 [0035.701] OpenServiceW (hSCManager=0x2a0138, lpServiceName="p2pimsvc", dwDesiredAccess=0x1) returned 0x290828 [0035.702] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.702] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.702] GetLastError () returned 0x7a [0035.702] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x14e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.703] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.703] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae7168, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.703] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="p2psvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.703] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="p2psvc", cchWideChar=6, lpMultiByteStr=0xae7168, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="p2psvc", lpUsedDefaultChar=0x0) returned 6 [0035.703] OpenServiceW (hSCManager=0x2a0138, lpServiceName="p2psvc", dwDesiredAccess=0x1) returned 0x2907b0 [0035.703] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.703] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.704] GetLastError () returned 0x7a [0035.704] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x15e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.704] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.704] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae71b0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.704] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pcasvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.704] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pcasvc", cchWideChar=6, lpMultiByteStr=0xae71b0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pcasvc", lpUsedDefaultChar=0x0) returned 6 [0035.704] OpenServiceW (hSCManager=0x2a0138, lpServiceName="PcaSvc", dwDesiredAccess=0x1) returned 0x290878 [0035.704] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.705] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.705] GetLastError () returned 0x7a [0035.705] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x15c, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.705] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.706] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae71f8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.706] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="peerdistsvc", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.706] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="peerdistsvc", cchWideChar=11, lpMultiByteStr=0xae71f8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="peerdistsvc", lpUsedDefaultChar=0x0) returned 11 [0035.706] OpenServiceW (hSCManager=0x2a0138, lpServiceName="PeerDistSvc", dwDesiredAccess=0x1) returned 0x2908a0 [0035.706] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.706] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.706] GetLastError () returned 0x7a [0035.706] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x11a, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.707] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.707] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae7240, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.707] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="perfhost", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.707] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="perfhost", cchWideChar=8, lpMultiByteStr=0xae7240, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="perfhost", lpUsedDefaultChar=0x0) returned 8 [0035.707] OpenServiceW (hSCManager=0x2a0138, lpServiceName="PerfHost", dwDesiredAccess=0x1) returned 0x290828 [0035.708] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.708] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.708] GetLastError () returned 0x7a [0035.708] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x124, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.709] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="perfhost.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.709] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="perfhost.exe", cchWideChar=12, lpMultiByteStr=0xae7288, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="perfhost.exe", lpUsedDefaultChar=0x0) returned 12 [0035.709] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pla", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.709] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pla", cchWideChar=3, lpMultiByteStr=0xae7288, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pla", lpUsedDefaultChar=0x0) returned 3 [0035.709] OpenServiceW (hSCManager=0x2a0138, lpServiceName="pla", dwDesiredAccess=0x1) returned 0x2907b0 [0035.718] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.719] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.719] GetLastError () returned 0x7a [0035.719] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x14e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.720] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.720] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae72d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.720] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="plugplay", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.720] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="plugplay", cchWideChar=8, lpMultiByteStr=0xae72d0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="plugplay", lpUsedDefaultChar=0x0) returned 8 [0035.720] OpenServiceW (hSCManager=0x2a0138, lpServiceName="PlugPlay", dwDesiredAccess=0x1) returned 0x290878 [0035.720] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.720] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.721] GetLastError () returned 0x7a [0035.721] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x10a, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.721] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.721] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae7318, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.721] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pnrpautoreg", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.721] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pnrpautoreg", cchWideChar=11, lpMultiByteStr=0xae7318, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pnrpautoreg", lpUsedDefaultChar=0x0) returned 11 [0035.721] OpenServiceW (hSCManager=0x2a0138, lpServiceName="PNRPAutoReg", dwDesiredAccess=0x1) returned 0x2908a0 [0035.722] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.722] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.722] GetLastError () returned 0x7a [0035.722] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x166, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.723] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.723] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae7360, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.723] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pnrpsvc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.723] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pnrpsvc", cchWideChar=7, lpMultiByteStr=0xae7360, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pnrpsvc", lpUsedDefaultChar=0x0) returned 7 [0035.723] OpenServiceW (hSCManager=0x2a0138, lpServiceName="PNRPsvc", dwDesiredAccess=0x1) returned 0x290828 [0035.723] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.723] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.724] GetLastError () returned 0x7a [0035.724] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x158, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.724] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.724] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae73a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.724] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="policyagent", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.724] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="policyagent", cchWideChar=11, lpMultiByteStr=0xae73a8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="policyagent", lpUsedDefaultChar=0x0) returned 11 [0035.724] OpenServiceW (hSCManager=0x2a0138, lpServiceName="PolicyAgent", dwDesiredAccess=0x1) returned 0x2907b0 [0035.725] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.725] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.725] GetLastError () returned 0x7a [0035.725] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x160, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.726] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.726] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae73f0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.726] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="power", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.729] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="power", cchWideChar=5, lpMultiByteStr=0xae73f0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="power", lpUsedDefaultChar=0x0) returned 5 [0035.729] OpenServiceW (hSCManager=0x2a0138, lpServiceName="Power", dwDesiredAccess=0x1) returned 0x290878 [0035.744] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.745] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.745] GetLastError () returned 0x7a [0035.745] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0xfa, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.746] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.746] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae7438, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.746] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="profsvc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.746] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="profsvc", cchWideChar=7, lpMultiByteStr=0xae7438, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="profsvc", lpUsedDefaultChar=0x0) returned 7 [0035.746] OpenServiceW (hSCManager=0x2a0138, lpServiceName="ProfSvc", dwDesiredAccess=0x1) returned 0x2908a0 [0035.746] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.746] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.747] GetLastError () returned 0x7a [0035.747] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x126, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.747] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.747] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae7480, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.747] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="protectedstorage", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.747] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="protectedstorage", cchWideChar=16, lpMultiByteStr=0xae7480, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="protectedstorage", lpUsedDefaultChar=0x0) returned 16 [0035.747] OpenServiceW (hSCManager=0x2a0138, lpServiceName="ProtectedStorage", dwDesiredAccess=0x1) returned 0x290828 [0035.748] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.748] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.748] GetLastError () returned 0x7a [0035.748] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0xec, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0xae74c8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 9 [0035.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="qwave", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.749] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="qwave", cchWideChar=5, lpMultiByteStr=0xae74c8, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="qwave", lpUsedDefaultChar=0x0) returned 5 [0035.749] OpenServiceW (hSCManager=0x2a0138, lpServiceName="QWAVE", dwDesiredAccess=0x1) returned 0x2907b0 [0035.749] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.749] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.750] GetLastError () returned 0x7a [0035.750] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x1a8, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.750] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae7510, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rasauto", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.751] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rasauto", cchWideChar=7, lpMultiByteStr=0xae7510, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rasauto", lpUsedDefaultChar=0x0) returned 7 [0035.751] OpenServiceW (hSCManager=0x2a0138, lpServiceName="RasAuto", dwDesiredAccess=0x1) returned 0x290878 [0035.751] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.754] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.754] GetLastError () returned 0x7a [0035.754] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x14e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae7558, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rasman", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.755] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rasman", cchWideChar=6, lpMultiByteStr=0xae7558, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rasman", lpUsedDefaultChar=0x0) returned 6 [0035.755] OpenServiceW (hSCManager=0x2a0138, lpServiceName="RasMan", dwDesiredAccess=0x1) returned 0x2908a0 [0035.755] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.755] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.756] GetLastError () returned 0x7a [0035.756] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x138, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae75a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="remoteaccess", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.756] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="remoteaccess", cchWideChar=12, lpMultiByteStr=0xae75a0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="remoteaccess", lpUsedDefaultChar=0x0) returned 12 [0035.756] OpenServiceW (hSCManager=0x2a0138, lpServiceName="RemoteAccess", dwDesiredAccess=0x1) returned 0x290828 [0035.757] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.757] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.757] GetLastError () returned 0x7a [0035.757] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x152, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae75e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="remoteregistry", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.758] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="remoteregistry", cchWideChar=14, lpMultiByteStr=0xae75e8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="remoteregistry", lpUsedDefaultChar=0x0) returned 14 [0035.758] OpenServiceW (hSCManager=0x2a0138, lpServiceName="RemoteRegistry", dwDesiredAccess=0x1) returned 0x2907b0 [0035.758] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.758] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.759] GetLastError () returned 0x7a [0035.759] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x11c, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae7630, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpceptmapper", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.759] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpceptmapper", cchWideChar=12, lpMultiByteStr=0xae7630, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rpceptmapper", lpUsedDefaultChar=0x0) returned 12 [0035.759] OpenServiceW (hSCManager=0x2a0138, lpServiceName="RpcEptMapper", dwDesiredAccess=0x1) returned 0x290878 [0035.760] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.760] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.760] GetLastError () returned 0x7a [0035.760] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x140, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae7678, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpclocator", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.761] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpclocator", cchWideChar=10, lpMultiByteStr=0xae7678, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rpclocator", lpUsedDefaultChar=0x0) returned 10 [0035.761] OpenServiceW (hSCManager=0x2a0138, lpServiceName="RpcLocator", dwDesiredAccess=0x1) returned 0x2908a0 [0035.761] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.761] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.762] GetLastError () returned 0x7a [0035.762] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x12a, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="locator.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="locator.exe", cchWideChar=11, lpMultiByteStr=0xae76c0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="locator.exe", lpUsedDefaultChar=0x0) returned 11 [0035.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpcss", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.762] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rpcss", cchWideChar=5, lpMultiByteStr=0xae76c0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rpcss", lpUsedDefaultChar=0x0) returned 5 [0035.763] OpenServiceW (hSCManager=0x2a0138, lpServiceName="RpcSs", dwDesiredAccess=0x1) returned 0x290828 [0035.763] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.763] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.763] GetLastError () returned 0x7a [0035.763] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x17e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae7708, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="samss", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.764] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="samss", cchWideChar=5, lpMultiByteStr=0xae7708, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="samss", lpUsedDefaultChar=0x0) returned 5 [0035.764] OpenServiceW (hSCManager=0x2a0138, lpServiceName="SamSs", dwDesiredAccess=0x1) returned 0x2907b0 [0035.764] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.764] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.765] GetLastError () returned 0x7a [0035.765] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x12e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0xae7708, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 9 [0035.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="scardsvr", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.765] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="scardsvr", cchWideChar=8, lpMultiByteStr=0xb35238, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="scardsvr", lpUsedDefaultChar=0x0) returned 8 [0035.765] OpenServiceW (hSCManager=0x2a0138, lpServiceName="SCardSvr", dwDesiredAccess=0x1) returned 0x290878 [0035.766] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.766] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.766] GetLastError () returned 0x7a [0035.766] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x164, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb35238, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="schedule", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.767] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="schedule", cchWideChar=8, lpMultiByteStr=0xb35280, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="schedule", lpUsedDefaultChar=0x0) returned 8 [0035.767] OpenServiceW (hSCManager=0x2a0138, lpServiceName="Schedule", dwDesiredAccess=0x1) returned 0x2908a0 [0035.767] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.767] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.768] GetLastError () returned 0x7a [0035.768] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x12e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb352c8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="scpolicysvc", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.768] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="scpolicysvc", cchWideChar=11, lpMultiByteStr=0xb352c8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="scpolicysvc", lpUsedDefaultChar=0x0) returned 11 [0035.768] OpenServiceW (hSCManager=0x2a0138, lpServiceName="SCPolicySvc", dwDesiredAccess=0x1) returned 0x290828 [0035.769] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.769] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.769] GetLastError () returned 0x7a [0035.769] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x116, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.770] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.770] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb35310, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.770] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sdrsvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.770] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sdrsvc", cchWideChar=6, lpMultiByteStr=0xb35310, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sdrsvc", lpUsedDefaultChar=0x0) returned 6 [0035.770] OpenServiceW (hSCManager=0x2a0138, lpServiceName="SDRSVC", dwDesiredAccess=0x1) returned 0x2907b0 [0035.770] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.770] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.771] GetLastError () returned 0x7a [0035.771] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0xfe, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.771] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.771] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb35358, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.771] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="seclogon", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.771] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="seclogon", cchWideChar=8, lpMultiByteStr=0xb35358, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="seclogon", lpUsedDefaultChar=0x0) returned 8 [0035.771] OpenServiceW (hSCManager=0x2a0138, lpServiceName="seclogon", dwDesiredAccess=0x1) returned 0x290878 [0035.772] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.772] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.772] GetLastError () returned 0x7a [0035.772] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0xf8, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.773] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.773] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb353a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.773] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sens", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0035.773] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sens", cchWideChar=4, lpMultiByteStr=0xb353a0, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sens", lpUsedDefaultChar=0x0) returned 4 [0035.773] OpenServiceW (hSCManager=0x2a0138, lpServiceName="SENS", dwDesiredAccess=0x1) returned 0x2908a0 [0035.773] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.773] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.774] GetLastError () returned 0x7a [0035.774] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x14c, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.774] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.774] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb353e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.774] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sensrsvc", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.774] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sensrsvc", cchWideChar=8, lpMultiByteStr=0xb353e8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sensrsvc", lpUsedDefaultChar=0x0) returned 8 [0035.774] OpenServiceW (hSCManager=0x2a0138, lpServiceName="SensrSvc", dwDesiredAccess=0x1) returned 0x290828 [0035.774] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.775] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.775] GetLastError () returned 0x7a [0035.775] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x14a, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.775] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.775] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb35430, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.776] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sessionenv", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.776] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sessionenv", cchWideChar=10, lpMultiByteStr=0xb35430, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sessionenv", lpUsedDefaultChar=0x0) returned 10 [0035.776] OpenServiceW (hSCManager=0x2a0138, lpServiceName="SessionEnv", dwDesiredAccess=0x1) returned 0x2907b0 [0035.776] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.776] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.776] GetLastError () returned 0x7a [0035.776] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x140, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.777] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.777] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb35478, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.777] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sharedaccess", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.777] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sharedaccess", cchWideChar=12, lpMultiByteStr=0xb35478, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sharedaccess", lpUsedDefaultChar=0x0) returned 12 [0035.777] OpenServiceW (hSCManager=0x2a0138, lpServiceName="SharedAccess", dwDesiredAccess=0x1) returned 0x290878 [0035.777] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.777] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.778] GetLastError () returned 0x7a [0035.778] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x14e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.778] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.779] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb354c0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.779] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shellhwdetection", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.779] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="shellhwdetection", cchWideChar=16, lpMultiByteStr=0xb354c0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="shellhwdetection", lpUsedDefaultChar=0x0) returned 16 [0035.779] OpenServiceW (hSCManager=0x2a0138, lpServiceName="ShellHWDetection", dwDesiredAccess=0x1) returned 0x2908a0 [0035.779] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.779] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.779] GetLastError () returned 0x7a [0035.779] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x12e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.780] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.780] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb35508, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.780] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="snmptrap", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.780] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="snmptrap", cchWideChar=8, lpMultiByteStr=0xb35508, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="snmptrap", lpUsedDefaultChar=0x0) returned 8 [0035.780] OpenServiceW (hSCManager=0x2a0138, lpServiceName="SNMPTRAP", dwDesiredAccess=0x1) returned 0x290828 [0035.780] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.780] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.781] GetLastError () returned 0x7a [0035.781] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0xf4, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.781] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="snmptrap.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.781] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="snmptrap.exe", cchWideChar=12, lpMultiByteStr=0xb35550, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="snmptrap.exe", lpUsedDefaultChar=0x0) returned 12 [0035.782] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spooler", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.782] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spooler", cchWideChar=7, lpMultiByteStr=0xb35550, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spooler", lpUsedDefaultChar=0x0) returned 7 [0035.782] OpenServiceW (hSCManager=0x2a0138, lpServiceName="Spooler", dwDesiredAccess=0x1) returned 0x2907b0 [0035.782] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.782] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.782] GetLastError () returned 0x7a [0035.782] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x10a, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.783] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.783] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0xb35598, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spoolsv.exe", lpUsedDefaultChar=0x0) returned 11 [0035.783] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sppsvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.783] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sppsvc", cchWideChar=6, lpMultiByteStr=0xb35598, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sppsvc", lpUsedDefaultChar=0x0) returned 6 [0035.783] OpenServiceW (hSCManager=0x2a0138, lpServiceName="sppsvc", dwDesiredAccess=0x1) returned 0x290878 [0035.783] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.783] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.784] GetLastError () returned 0x7a [0035.784] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x112, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.784] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sppsvc.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.784] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sppsvc.exe", cchWideChar=10, lpMultiByteStr=0xb355e0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sppsvc.exe", lpUsedDefaultChar=0x0) returned 10 [0035.784] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sppuinotify", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.784] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sppuinotify", cchWideChar=11, lpMultiByteStr=0xb355e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sppuinotify", lpUsedDefaultChar=0x0) returned 11 [0035.784] OpenServiceW (hSCManager=0x2a0138, lpServiceName="sppuinotify", dwDesiredAccess=0x1) returned 0x2908a0 [0035.785] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.785] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.785] GetLastError () returned 0x7a [0035.785] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x146, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.786] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.786] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb35628, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.786] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ssdpsrv", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.786] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ssdpsrv", cchWideChar=7, lpMultiByteStr=0xb35628, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ssdpsrv", lpUsedDefaultChar=0x0) returned 7 [0035.786] OpenServiceW (hSCManager=0x2a0138, lpServiceName="SSDPSRV", dwDesiredAccess=0x1) returned 0x290828 [0035.786] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.786] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.787] GetLastError () returned 0x7a [0035.787] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x148, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.787] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.787] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb35670, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.787] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sstpsvc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.787] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sstpsvc", cchWideChar=7, lpMultiByteStr=0xb35670, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sstpsvc", lpUsedDefaultChar=0x0) returned 7 [0035.787] OpenServiceW (hSCManager=0x2a0138, lpServiceName="SstpSvc", dwDesiredAccess=0x1) returned 0x2907b0 [0035.787] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.788] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.788] GetLastError () returned 0x7a [0035.788] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x150, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.788] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.788] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb356b8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.788] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="stisvc", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.788] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="stisvc", cchWideChar=6, lpMultiByteStr=0xb356b8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="stisvc", lpUsedDefaultChar=0x0) returned 6 [0035.789] OpenServiceW (hSCManager=0x2a0138, lpServiceName="stisvc", dwDesiredAccess=0x1) returned 0x290878 [0035.789] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.789] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.789] GetLastError () returned 0x7a [0035.789] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x15e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.790] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.790] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb35700, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.790] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="storsvc", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.790] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="storsvc", cchWideChar=7, lpMultiByteStr=0xb35700, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="storsvc", lpUsedDefaultChar=0x0) returned 7 [0035.790] OpenServiceW (hSCManager=0x2a0138, lpServiceName="StorSvc", dwDesiredAccess=0x1) returned 0x2908a0 [0035.790] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.790] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.791] GetLastError () returned 0x7a [0035.791] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x122, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.791] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.791] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb35748, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.791] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="swprv", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0035.791] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="swprv", cchWideChar=5, lpMultiByteStr=0xb35748, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="swprv", lpUsedDefaultChar=0x0) returned 5 [0035.791] OpenServiceW (hSCManager=0x2a0138, lpServiceName="swprv", dwDesiredAccess=0x1) returned 0x290828 [0035.792] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.792] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.792] GetLastError () returned 0x7a [0035.792] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x12e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.793] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.793] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb35790, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.793] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sysmain", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.793] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sysmain", cchWideChar=7, lpMultiByteStr=0xb35790, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sysmain", lpUsedDefaultChar=0x0) returned 7 [0035.793] OpenServiceW (hSCManager=0x2a0138, lpServiceName="SysMain", dwDesiredAccess=0x1) returned 0x2907b0 [0035.793] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.793] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.793] GetLastError () returned 0x7a [0035.793] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x134, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.794] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.794] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb357d8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.794] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tabletinputservice", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0035.794] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tabletinputservice", cchWideChar=18, lpMultiByteStr=0xb357d8, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tabletinputservice", lpUsedDefaultChar=0x0) returned 18 [0035.794] OpenServiceW (hSCManager=0x2a0138, lpServiceName="TabletInputService", dwDesiredAccess=0x1) returned 0x290878 [0035.794] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.795] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.795] GetLastError () returned 0x7a [0035.795] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x15e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.795] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.795] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb35820, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.795] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tapisrv", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.796] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tapisrv", cchWideChar=7, lpMultiByteStr=0xb35820, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tapisrv", lpUsedDefaultChar=0x0) returned 7 [0035.796] OpenServiceW (hSCManager=0x2a0138, lpServiceName="TapiSrv", dwDesiredAccess=0x1) returned 0x2908a0 [0035.796] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.796] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.796] GetLastError () returned 0x7a [0035.796] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x136, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.797] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.797] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb35868, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.797] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tbs", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0035.797] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="tbs", cchWideChar=3, lpMultiByteStr=0xb35868, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="tbs", lpUsedDefaultChar=0x0) returned 3 [0035.797] OpenServiceW (hSCManager=0x2a0138, lpServiceName="TBS", dwDesiredAccess=0x1) returned 0x290828 [0035.797] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.798] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.798] GetLastError () returned 0x7a [0035.798] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x146, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.798] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.799] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb358b0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.799] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="termservice", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.799] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="termservice", cchWideChar=11, lpMultiByteStr=0xb358b0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="termservice", lpUsedDefaultChar=0x0) returned 11 [0035.799] OpenServiceW (hSCManager=0x2a0138, lpServiceName="TermService", dwDesiredAccess=0x1) returned 0x2907b0 [0035.799] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.799] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.800] GetLastError () returned 0x7a [0035.800] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x14e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.800] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.800] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb358f8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.800] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="themes", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.800] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="themes", cchWideChar=6, lpMultiByteStr=0xb358f8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="themes", lpUsedDefaultChar=0x0) returned 6 [0035.800] OpenServiceW (hSCManager=0x2a0138, lpServiceName="Themes", dwDesiredAccess=0x1) returned 0x290878 [0035.801] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.801] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.801] GetLastError () returned 0x7a [0035.801] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x100, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.802] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.802] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xb35940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.802] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="threadorder", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.802] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="threadorder", cchWideChar=11, lpMultiByteStr=0xb35940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="threadorder", lpUsedDefaultChar=0x0) returned 11 [0035.802] OpenServiceW (hSCManager=0x2a0138, lpServiceName="THREADORDER", dwDesiredAccess=0x1) returned 0x2908a0 [0035.802] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.802] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.803] GetLastError () returned 0x7a [0035.803] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x12c, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.803] OpenServiceW (hSCManager=0x2a0138, lpServiceName="TrkWks", dwDesiredAccess=0x1) returned 0x290828 [0035.804] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.804] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.804] GetLastError () returned 0x7a [0035.804] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x14e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.805] OpenServiceW (hSCManager=0x2a0138, lpServiceName="TrustedInstaller", dwDesiredAccess=0x1) returned 0x2907b0 [0035.805] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.805] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.806] GetLastError () returned 0x7a [0035.806] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x124, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.807] OpenServiceW (hSCManager=0x2a0138, lpServiceName="UI0Detect", dwDesiredAccess=0x1) returned 0x290878 [0035.807] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.807] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.807] GetLastError () returned 0x7a [0035.807] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x104, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.808] OpenServiceW (hSCManager=0x2a0138, lpServiceName="UmRdpService", dwDesiredAccess=0x1) returned 0x2908a0 [0035.808] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.808] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.809] GetLastError () returned 0x7a [0035.809] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x186, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.809] OpenServiceW (hSCManager=0x2a0138, lpServiceName="upnphost", dwDesiredAccess=0x1) returned 0x290828 [0035.810] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.810] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.810] GetLastError () returned 0x7a [0035.810] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x15c, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.811] OpenServiceW (hSCManager=0x2a0138, lpServiceName="UxSms", dwDesiredAccess=0x1) returned 0x2907b0 [0035.811] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.811] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.812] GetLastError () returned 0x7a [0035.812] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x15e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.812] OpenServiceW (hSCManager=0x2a0138, lpServiceName="VaultSvc", dwDesiredAccess=0x1) returned 0x290878 [0035.812] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.813] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.813] GetLastError () returned 0x7a [0035.813] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0xee, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.813] OpenServiceW (hSCManager=0x2a0138, lpServiceName="vds", dwDesiredAccess=0x1) returned 0x2908a0 [0035.814] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.814] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.814] GetLastError () returned 0x7a [0035.814] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0xf0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.815] OpenServiceW (hSCManager=0x2a0138, lpServiceName="VSS", dwDesiredAccess=0x1) returned 0x290828 [0035.815] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.815] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.816] GetLastError () returned 0x7a [0035.816] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0xee, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.819] OpenServiceW (hSCManager=0x2a0138, lpServiceName="W32Time", dwDesiredAccess=0x1) returned 0x2907b0 [0035.819] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.820] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.820] GetLastError () returned 0x7a [0035.820] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x118, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.821] OpenServiceW (hSCManager=0x2a0138, lpServiceName="wbengine", dwDesiredAccess=0x1) returned 0x290878 [0035.821] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.821] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.822] GetLastError () returned 0x7a [0035.822] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x10c, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.822] OpenServiceW (hSCManager=0x2a0138, lpServiceName="WbioSrvc", dwDesiredAccess=0x1) returned 0x2908a0 [0035.823] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.823] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.823] GetLastError () returned 0x7a [0035.823] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x15e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.824] OpenServiceW (hSCManager=0x2a0138, lpServiceName="wcncsvc", dwDesiredAccess=0x1) returned 0x290828 [0035.824] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.824] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.825] GetLastError () returned 0x7a [0035.825] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x17a, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.825] OpenServiceW (hSCManager=0x2a0138, lpServiceName="WcsPlugInService", dwDesiredAccess=0x1) returned 0x2907b0 [0035.826] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.826] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.826] GetLastError () returned 0x7a [0035.826] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x126, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.827] OpenServiceW (hSCManager=0x2a0138, lpServiceName="WdiServiceHost", dwDesiredAccess=0x1) returned 0x290878 [0035.827] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.827] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.828] GetLastError () returned 0x7a [0035.828] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x12e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.828] OpenServiceW (hSCManager=0x2a0138, lpServiceName="WdiSystemHost", dwDesiredAccess=0x1) returned 0x2908a0 [0035.828] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.829] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.829] GetLastError () returned 0x7a [0035.829] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x130, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.830] OpenServiceW (hSCManager=0x2a0138, lpServiceName="WebClient", dwDesiredAccess=0x1) returned 0x290828 [0035.830] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.830] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.831] GetLastError () returned 0x7a [0035.831] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x13c, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.831] OpenServiceW (hSCManager=0x2a0138, lpServiceName="Wecsvc", dwDesiredAccess=0x1) returned 0x2907b0 [0035.831] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.832] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.832] GetLastError () returned 0x7a [0035.832] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x150, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.833] OpenServiceW (hSCManager=0x2a0138, lpServiceName="wercplsupport", dwDesiredAccess=0x1) returned 0x290878 [0035.833] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.833] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.833] GetLastError () returned 0x7a [0035.833] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x140, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.834] OpenServiceW (hSCManager=0x2a0138, lpServiceName="WerSvc", dwDesiredAccess=0x1) returned 0x2908a0 [0035.834] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.847] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.847] GetLastError () returned 0x7a [0035.847] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x120, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.848] OpenServiceW (hSCManager=0x2a0138, lpServiceName="WinDefend", dwDesiredAccess=0x1) returned 0x290828 [0035.848] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.848] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.849] GetLastError () returned 0x7a [0035.849] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x104, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.849] OpenServiceW (hSCManager=0x2a0138, lpServiceName="WinHttpAutoProxySvc", dwDesiredAccess=0x1) returned 0x2907b0 [0035.849] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.877] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.880] GetLastError () returned 0x7a [0035.880] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x158, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.880] OpenServiceW (hSCManager=0x2a0138, lpServiceName="Winmgmt", dwDesiredAccess=0x1) returned 0x290878 [0035.880] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.881] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.881] GetLastError () returned 0x7a [0035.881] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x128, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.884] OpenServiceW (hSCManager=0x2a0138, lpServiceName="WinRM", dwDesiredAccess=0x1) returned 0x2908a0 [0035.884] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.884] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.885] GetLastError () returned 0x7a [0035.885] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x16e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.885] OpenServiceW (hSCManager=0x2a0138, lpServiceName="Wlansvc", dwDesiredAccess=0x1) returned 0x290828 [0035.885] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.886] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.886] GetLastError () returned 0x7a [0035.886] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x16a, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.886] OpenServiceW (hSCManager=0x2a0138, lpServiceName="wmiApSrv", dwDesiredAccess=0x1) returned 0x2907b0 [0035.887] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.887] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.887] GetLastError () returned 0x7a [0035.887] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0xfe, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.888] OpenServiceW (hSCManager=0x2a0138, lpServiceName="WMPNetworkSvc", dwDesiredAccess=0x1) returned 0x290878 [0035.888] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.888] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.889] GetLastError () returned 0x7a [0035.889] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x16e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.889] OpenServiceW (hSCManager=0x2a0138, lpServiceName="WPCSvc", dwDesiredAccess=0x1) returned 0x2908a0 [0035.889] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.890] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.890] GetLastError () returned 0x7a [0035.890] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x14e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.890] OpenServiceW (hSCManager=0x2a0138, lpServiceName="WPDBusEnum", dwDesiredAccess=0x1) returned 0x290828 [0035.891] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.891] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.891] GetLastError () returned 0x7a [0035.891] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x152, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.892] OpenServiceW (hSCManager=0x2a0138, lpServiceName="wscsvc", dwDesiredAccess=0x1) returned 0x2907b0 [0035.892] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.892] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.893] GetLastError () returned 0x7a [0035.893] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x15a, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.893] OpenServiceW (hSCManager=0x2a0138, lpServiceName="WSearch", dwDesiredAccess=0x1) returned 0x290878 [0035.893] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.893] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.894] GetLastError () returned 0x7a [0035.894] QueryServiceConfigW (in: hService=0x290878, lpServiceConfig=0xb29a48, cbBufSize=0x10c, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.894] OpenServiceW (hSCManager=0x2a0138, lpServiceName="wuauserv", dwDesiredAccess=0x1) returned 0x2908a0 [0035.895] CloseServiceHandle (hSCObject=0x290878) returned 1 [0035.895] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.895] GetLastError () returned 0x7a [0035.895] QueryServiceConfigW (in: hService=0x2908a0, lpServiceConfig=0xb29a48, cbBufSize=0x100, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.896] OpenServiceW (hSCManager=0x2a0138, lpServiceName="wudfsvc", dwDesiredAccess=0x1) returned 0x290828 [0035.896] CloseServiceHandle (hSCObject=0x2908a0) returned 1 [0035.897] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.897] GetLastError () returned 0x7a [0035.897] QueryServiceConfigW (in: hService=0x290828, lpServiceConfig=0xb29a48, cbBufSize=0x19e, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.897] OpenServiceW (hSCManager=0x2a0138, lpServiceName="WwanSvc", dwDesiredAccess=0x1) returned 0x2907b0 [0035.898] CloseServiceHandle (hSCObject=0x290828) returned 1 [0035.898] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0x0, cbBufSize=0x0, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0x0, pcbBytesNeeded=0x151fba4) returned 0 [0035.898] GetLastError () returned 0x7a [0035.898] QueryServiceConfigW (in: hService=0x2907b0, lpServiceConfig=0xb29a48, cbBufSize=0x170, pcbBytesNeeded=0x151fba4 | out: lpServiceConfig=0xb29a48, pcbBytesNeeded=0x151fba4) returned 1 [0035.899] CloseServiceHandle (hSCObject=0x2907b0) returned 1 [0035.905] CloseServiceHandle (hSCObject=0x2a0138) returned 1 [0035.905] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x144 [0035.908] Process32FirstW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0035.909] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0035.910] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="system", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.910] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="system", cchWideChar=6, lpMultiByteStr=0xae99d0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="system", lpUsedDefaultChar=0x0) returned 6 [0035.910] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="System", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.910] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="System", cchWideChar=6, lpMultiByteStr=0xae99d0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="System", lpUsedDefaultChar=0x0) returned 6 [0035.910] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0035.911] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smss.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.911] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smss.exe", cchWideChar=8, lpMultiByteStr=0xae98f8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smss.exe", lpUsedDefaultChar=0x0) returned 8 [0035.911] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smss.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.911] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smss.exe", cchWideChar=8, lpMultiByteStr=0xae98f8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smss.exe", lpUsedDefaultChar=0x0) returned 8 [0035.911] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0035.911] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.911] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0xae9868, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 9 [0035.911] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.912] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0xae9868, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 9 [0035.912] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0035.912] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.912] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=11, lpMultiByteStr=0xae9820, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wininit.exe", lpUsedDefaultChar=0x0) returned 11 [0035.912] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.912] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=11, lpMultiByteStr=0xae9820, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wininit.exe", lpUsedDefaultChar=0x0) returned 11 [0035.912] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0035.913] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.913] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0xae97d8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 9 [0035.913] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.913] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0xae97d8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 9 [0035.913] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0035.913] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="winlogon.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.913] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="winlogon.exe", cchWideChar=12, lpMultiByteStr=0xae9790, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winlogon.exe", lpUsedDefaultChar=0x0) returned 12 [0035.914] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="winlogon.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.914] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="winlogon.exe", cchWideChar=12, lpMultiByteStr=0xae9790, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winlogon.exe", lpUsedDefaultChar=0x0) returned 12 [0035.914] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0035.914] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.914] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=12, lpMultiByteStr=0xae9748, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="services.exe", lpUsedDefaultChar=0x0) returned 12 [0035.914] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.914] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=12, lpMultiByteStr=0xae9748, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="services.exe", lpUsedDefaultChar=0x0) returned 12 [0035.914] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0035.915] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.915] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0xae9700, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 9 [0035.915] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.915] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0xae9700, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 9 [0035.915] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0035.915] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsm.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.915] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsm.exe", cchWideChar=7, lpMultiByteStr=0xae96b8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsm.exe", lpUsedDefaultChar=0x0) returned 7 [0035.915] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsm.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.915] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsm.exe", cchWideChar=7, lpMultiByteStr=0xae96b8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsm.exe", lpUsedDefaultChar=0x0) returned 7 [0035.915] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.916] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.916] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9670, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.916] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.916] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9670, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.916] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.916] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.917] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9628, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.917] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.917] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9628, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.917] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.917] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.917] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae95e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.917] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.917] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae95e0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.917] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.918] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.918] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9598, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.918] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.918] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9598, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.918] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.918] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.918] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9550, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.918] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.918] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9550, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.918] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0035.919] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.919] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=11, lpMultiByteStr=0xae9508, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audiodg.exe", lpUsedDefaultChar=0x0) returned 11 [0035.919] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.919] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=11, lpMultiByteStr=0xae9508, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audiodg.exe", lpUsedDefaultChar=0x0) returned 11 [0035.919] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.920] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.920] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae94c0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.920] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.920] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae94c0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.920] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.920] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.920] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9478, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.920] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.920] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9478, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.920] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x310, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0035.921] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dwm.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.921] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dwm.exe", cchWideChar=7, lpMultiByteStr=0xae99d0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dwm.exe", lpUsedDefaultChar=0x0) returned 7 [0035.921] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dwm.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.921] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dwm.exe", cchWideChar=7, lpMultiByteStr=0xae99d0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dwm.exe", lpUsedDefaultChar=0x0) returned 7 [0035.921] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x44c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0035.921] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.921] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0xae9430, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exe", lpUsedDefaultChar=0x0) returned 12 [0035.921] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.921] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0xae9430, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exe", lpUsedDefaultChar=0x0) returned 12 [0035.921] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0035.922] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.922] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0xae9478, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spoolsv.exe", lpUsedDefaultChar=0x0) returned 11 [0035.922] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.922] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0xae9478, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spoolsv.exe", lpUsedDefaultChar=0x0) returned 11 [0035.922] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0035.923] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.923] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0xae93e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhost.exe", lpUsedDefaultChar=0x0) returned 12 [0035.923] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.923] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0xae93e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhost.exe", lpUsedDefaultChar=0x0) returned 12 [0035.923] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.923] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.923] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae93a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.923] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.923] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae93a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.923] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x610, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x350, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0035.924] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskeng.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.924] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskeng.exe", cchWideChar=11, lpMultiByteStr=0xae9358, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskeng.exe", lpUsedDefaultChar=0x0) returned 11 [0035.924] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskeng.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.924] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskeng.exe", cchWideChar=11, lpMultiByteStr=0xae9358, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskeng.exe", lpUsedDefaultChar=0x0) returned 11 [0035.924] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d4, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0035.924] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.924] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0xae9310, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhost.exe", lpUsedDefaultChar=0x0) returned 12 [0035.924] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.924] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0xae9310, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhost.exe", lpUsedDefaultChar=0x0) returned 12 [0035.925] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="connectionsdecade.exe")) returned 1 [0035.925] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connectionsdecade.exe", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0035.925] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connectionsdecade.exe", cchWideChar=21, lpMultiByteStr=0xae8e48, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="connectionsdecade.exe", lpUsedDefaultChar=0x0) returned 21 [0035.925] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connectionsdecade.exe", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0035.925] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connectionsdecade.exe", cchWideChar=21, lpMultiByteStr=0xae8e48, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="connectionsdecade.exe", lpUsedDefaultChar=0x0) returned 21 [0035.925] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum fs.exe")) returned 1 [0035.926] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spectrum fs.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.926] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spectrum fs.exe", cchWideChar=15, lpMultiByteStr=0xae92c8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spectrum fs.exe", lpUsedDefaultChar=0x0) returned 15 [0035.926] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spectrum fs.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.926] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spectrum fs.exe", cchWideChar=15, lpMultiByteStr=0xae92c8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spectrum fs.exe", lpUsedDefaultChar=0x0) returned 15 [0035.926] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="amounts_under.exe")) returned 1 [0035.926] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amounts_under.exe", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0035.926] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amounts_under.exe", cchWideChar=17, lpMultiByteStr=0xae9280, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="amounts_under.exe", lpUsedDefaultChar=0x0) returned 17 [0035.926] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amounts_under.exe", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0035.926] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amounts_under.exe", cchWideChar=17, lpMultiByteStr=0xae9280, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="amounts_under.exe", lpUsedDefaultChar=0x0) returned 17 [0035.926] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="emergency_limitation.exe")) returned 1 [0035.927] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="emergency_limitation.exe", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0035.927] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="emergency_limitation.exe", cchWideChar=24, lpMultiByteStr=0xae9238, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="emergency_limitation.exe", lpUsedDefaultChar=0x0) returned 24 [0035.927] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="emergency_limitation.exe", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0035.927] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="emergency_limitation.exe", cchWideChar=24, lpMultiByteStr=0xae9238, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="emergency_limitation.exe", lpUsedDefaultChar=0x0) returned 24 [0035.927] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="partnerships.exe")) returned 1 [0035.927] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="partnerships.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.927] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="partnerships.exe", cchWideChar=16, lpMultiByteStr=0xae91f0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="partnerships.exe", lpUsedDefaultChar=0x0) returned 16 [0035.927] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="partnerships.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.928] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="partnerships.exe", cchWideChar=16, lpMultiByteStr=0xae91f0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="partnerships.exe", lpUsedDefaultChar=0x0) returned 16 [0035.928] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="fit.exe")) returned 1 [0035.928] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fit.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.928] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fit.exe", cchWideChar=7, lpMultiByteStr=0xae91a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fit.exe", lpUsedDefaultChar=0x0) returned 7 [0035.928] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fit.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.928] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fit.exe", cchWideChar=7, lpMultiByteStr=0xae91a8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fit.exe", lpUsedDefaultChar=0x0) returned 7 [0035.928] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="ob reid.exe")) returned 1 [0035.929] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ob reid.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.929] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ob reid.exe", cchWideChar=11, lpMultiByteStr=0xae9160, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ob reid.exe", lpUsedDefaultChar=0x0) returned 11 [0035.929] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ob reid.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.929] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ob reid.exe", cchWideChar=11, lpMultiByteStr=0xae9160, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ob reid.exe", lpUsedDefaultChar=0x0) returned 11 [0035.929] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="antonio_done_cultures.exe")) returned 1 [0035.929] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="antonio_done_cultures.exe", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0035.929] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="antonio_done_cultures.exe", cchWideChar=25, lpMultiByteStr=0xae9118, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="antonio_done_cultures.exe", lpUsedDefaultChar=0x0) returned 25 [0035.929] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="antonio_done_cultures.exe", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0035.929] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="antonio_done_cultures.exe", cchWideChar=25, lpMultiByteStr=0xae9118, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="antonio_done_cultures.exe", lpUsedDefaultChar=0x0) returned 25 [0035.929] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="norfolk_trance_directive.exe")) returned 1 [0035.930] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="norfolk_trance_directive.exe", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0035.930] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="norfolk_trance_directive.exe", cchWideChar=28, lpMultiByteStr=0xae90d0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="norfolk_trance_directive.exe", lpUsedDefaultChar=0x0) returned 28 [0035.930] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="norfolk_trance_directive.exe", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0035.930] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="norfolk_trance_directive.exe", cchWideChar=28, lpMultiByteStr=0xae90d0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="norfolk_trance_directive.exe", lpUsedDefaultChar=0x0) returned 28 [0035.930] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="cheese-further-reads.exe")) returned 1 [0035.930] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cheese-further-reads.exe", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0035.931] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cheese-further-reads.exe", cchWideChar=24, lpMultiByteStr=0xae9088, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cheese-further-reads.exe", lpUsedDefaultChar=0x0) returned 24 [0035.931] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cheese-further-reads.exe", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0035.931] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cheese-further-reads.exe", cchWideChar=24, lpMultiByteStr=0xae9088, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cheese-further-reads.exe", lpUsedDefaultChar=0x0) returned 24 [0035.931] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="walking.exe")) returned 1 [0035.931] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="walking.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.931] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="walking.exe", cchWideChar=11, lpMultiByteStr=0xae9040, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="walking.exe", lpUsedDefaultChar=0x0) returned 11 [0035.931] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="walking.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.931] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="walking.exe", cchWideChar=11, lpMultiByteStr=0xae9040, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="walking.exe", lpUsedDefaultChar=0x0) returned 11 [0035.931] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="happiness.exe")) returned 1 [0035.932] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="happiness.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0035.932] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="happiness.exe", cchWideChar=13, lpMultiByteStr=0xae8ff8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="happiness.exe", lpUsedDefaultChar=0x0) returned 13 [0035.932] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="happiness.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0035.932] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="happiness.exe", cchWideChar=13, lpMultiByteStr=0xae8ff8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="happiness.exe", lpUsedDefaultChar=0x0) returned 13 [0035.932] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="clubs_mobility_dive.exe")) returned 1 [0035.932] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clubs_mobility_dive.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0035.932] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clubs_mobility_dive.exe", cchWideChar=23, lpMultiByteStr=0xae8fb0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clubs_mobility_dive.exe", lpUsedDefaultChar=0x0) returned 23 [0035.932] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clubs_mobility_dive.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0035.933] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clubs_mobility_dive.exe", cchWideChar=23, lpMultiByteStr=0xae8fb0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clubs_mobility_dive.exe", lpUsedDefaultChar=0x0) returned 23 [0035.933] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="completing.exe")) returned 1 [0035.933] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="completing.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.933] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="completing.exe", cchWideChar=14, lpMultiByteStr=0xae8f68, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="completing.exe", lpUsedDefaultChar=0x0) returned 14 [0035.933] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="completing.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.933] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="completing.exe", cchWideChar=14, lpMultiByteStr=0xae8f68, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="completing.exe", lpUsedDefaultChar=0x0) returned 14 [0035.933] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="polished expressed.exe")) returned 1 [0035.934] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="polished expressed.exe", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0035.934] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="polished expressed.exe", cchWideChar=22, lpMultiByteStr=0xae8f20, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="polished expressed.exe", lpUsedDefaultChar=0x0) returned 22 [0035.934] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="polished expressed.exe", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0035.934] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="polished expressed.exe", cchWideChar=22, lpMultiByteStr=0xae8f20, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="polished expressed.exe", lpUsedDefaultChar=0x0) returned 22 [0035.934] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="need result.exe")) returned 1 [0035.935] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="need result.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.935] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="need result.exe", cchWideChar=15, lpMultiByteStr=0xae8ed8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="need result.exe", lpUsedDefaultChar=0x0) returned 15 [0035.935] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="need result.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.935] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="need result.exe", cchWideChar=15, lpMultiByteStr=0xae8ed8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="need result.exe", lpUsedDefaultChar=0x0) returned 15 [0035.935] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="spring.exe")) returned 1 [0035.936] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spring.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.936] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spring.exe", cchWideChar=10, lpMultiByteStr=0xae8e90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spring.exe", lpUsedDefaultChar=0x0) returned 10 [0035.936] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spring.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.936] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spring.exe", cchWideChar=10, lpMultiByteStr=0xae8e90, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spring.exe", lpUsedDefaultChar=0x0) returned 10 [0035.936] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="marvel.exe")) returned 1 [0035.936] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="marvel.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.936] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="marvel.exe", cchWideChar=10, lpMultiByteStr=0xae8e00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="marvel.exe", lpUsedDefaultChar=0x0) returned 10 [0035.936] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="marvel.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.937] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="marvel.exe", cchWideChar=10, lpMultiByteStr=0xae8e00, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="marvel.exe", lpUsedDefaultChar=0x0) returned 10 [0035.937] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x624, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="clicks plc.exe")) returned 1 [0035.937] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clicks plc.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.937] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clicks plc.exe", cchWideChar=14, lpMultiByteStr=0xadca60, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clicks plc.exe", lpUsedDefaultChar=0x0) returned 14 [0035.937] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clicks plc.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.937] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clicks plc.exe", cchWideChar=14, lpMultiByteStr=0xadca60, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clicks plc.exe", lpUsedDefaultChar=0x0) returned 14 [0035.937] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="inter-angle.exe")) returned 1 [0035.938] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="inter-angle.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.938] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="inter-angle.exe", cchWideChar=15, lpMultiByteStr=0xadca60, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="inter-angle.exe", lpUsedDefaultChar=0x0) returned 15 [0035.938] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="inter-angle.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.938] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="inter-angle.exe", cchWideChar=15, lpMultiByteStr=0xb35238, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="inter-angle.exe", lpUsedDefaultChar=0x0) returned 15 [0035.938] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="admit cellular.exe")) returned 1 [0035.938] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="admit cellular.exe", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0035.938] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="admit cellular.exe", cchWideChar=18, lpMultiByteStr=0xb35238, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="admit cellular.exe", lpUsedDefaultChar=0x0) returned 18 [0035.938] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="admit cellular.exe", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0035.938] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="admit cellular.exe", cchWideChar=18, lpMultiByteStr=0xb35280, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="admit cellular.exe", lpUsedDefaultChar=0x0) returned 18 [0035.938] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="contractor.exe")) returned 1 [0035.939] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="contractor.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.939] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="contractor.exe", cchWideChar=14, lpMultiByteStr=0xb352c8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="contractor.exe", lpUsedDefaultChar=0x0) returned 14 [0035.939] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="contractor.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.939] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="contractor.exe", cchWideChar=14, lpMultiByteStr=0xb352c8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="contractor.exe", lpUsedDefaultChar=0x0) returned 14 [0035.939] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="theta.exe")) returned 1 [0035.939] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="theta.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.939] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="theta.exe", cchWideChar=9, lpMultiByteStr=0xb35310, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="theta.exe", lpUsedDefaultChar=0x0) returned 9 [0035.940] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="theta.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.940] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="theta.exe", cchWideChar=9, lpMultiByteStr=0xb35310, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="theta.exe", lpUsedDefaultChar=0x0) returned 9 [0035.940] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0035.940] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vssadmin.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.940] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vssadmin.exe", cchWideChar=12, lpMultiByteStr=0xb35358, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin.exe", lpUsedDefaultChar=0x0) returned 12 [0035.940] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vssadmin.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.940] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vssadmin.exe", cchWideChar=12, lpMultiByteStr=0xb35358, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin.exe", lpUsedDefaultChar=0x0) returned 12 [0035.940] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0035.941] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="conhost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.941] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="conhost.exe", cchWideChar=11, lpMultiByteStr=0xb353a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="conhost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.941] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="conhost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.941] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="conhost.exe", cchWideChar=11, lpMultiByteStr=0xb353a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="conhost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.941] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSE.EXE")) returned 1 [0035.941] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ose.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.941] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ose.exe", cchWideChar=7, lpMultiByteStr=0xb353e8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ose.exe", lpUsedDefaultChar=0x0) returned 7 [0035.941] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="OSE.EXE", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.941] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="OSE.EXE", cchWideChar=7, lpMultiByteStr=0xb353e8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSE.EXE", lpUsedDefaultChar=0x0) returned 7 [0035.942] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0035.942] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vssvc.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.942] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vssvc.exe", cchWideChar=9, lpMultiByteStr=0xb35430, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssvc.exe", lpUsedDefaultChar=0x0) returned 9 [0035.942] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VSSVC.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.942] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VSSVC.exe", cchWideChar=9, lpMultiByteStr=0xb35430, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VSSVC.exe", lpUsedDefaultChar=0x0) returned 9 [0035.942] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8d4 | out: lppe=0x151f8d4*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0035.943] NtOpenProcess (in: ProcessHandle=0x151f83c, DesiredAccess=0x400, ObjectAttributes=0x151f848*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x151f840*(UniqueProcess=0x4, UniqueThread=0x0) | out: ProcessHandle=0x151f83c*=0x0) returned 0xc0000022 [0035.943] NtOpenProcess (in: ProcessHandle=0x151f83c, DesiredAccess=0x1000, ObjectAttributes=0x151f848*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x151f840*(UniqueProcess=0x4, UniqueThread=0x0) | out: ProcessHandle=0x151f83c*=0x148) returned 0x0 [0035.943] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.943] FindFirstFileExW (in: lpFileName="C:\\Windows\\SysWOW64\\*.dll", fInfoLevelId=0x1, lpFindFileData=0x151f5d8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f5d8) returned 0x2a3f88 [0035.944] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AACLIENT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.944] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AACLIENT.DLL", cchWideChar=12, lpMultiByteStr=0xb358b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AACLIENT.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.944] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.945] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCESSIBILITYCPL.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0035.945] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCESSIBILITYCPL.DLL", cchWideChar=20, lpMultiByteStr=0xb358f8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCESSIBILITYCPL.DLL", lpUsedDefaultChar=0x0) returned 20 [0035.945] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.945] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCTRES.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.945] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACCTRES.DLL", cchWideChar=11, lpMultiByteStr=0xb358b0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACCTRES.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.945] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.945] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLEDIT.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.945] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLEDIT.DLL", cchWideChar=11, lpMultiByteStr=0xb358f8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACLEDIT.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.945] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.945] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLUI.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.945] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACLUI.DLL", cchWideChar=9, lpMultiByteStr=0xb358b0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACLUI.DLL", lpUsedDefaultChar=0x0) returned 9 [0035.945] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.945] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACPPAGE.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.945] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACPPAGE.DLL", cchWideChar=11, lpMultiByteStr=0xb358f8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACPPAGE.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.945] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.945] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTER.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.945] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTER.DLL", cchWideChar=16, lpMultiByteStr=0xb358b0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIONCENTER.DLL", lpUsedDefaultChar=0x0) returned 16 [0035.945] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.945] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTERCPL.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0035.945] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIONCENTERCPL.DLL", cchWideChar=19, lpMultiByteStr=0xb358f8, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIONCENTERCPL.DLL", lpUsedDefaultChar=0x0) returned 19 [0035.945] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.945] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIVEDS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTIVEDS.DLL", cchWideChar=12, lpMultiByteStr=0xb358b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTIVEDS.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.946] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTXPRXY.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ACTXPRXY.DLL", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ACTXPRXY.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.946] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMPARSE.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMPARSE.DLL", cchWideChar=12, lpMultiByteStr=0xb358b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADMPARSE.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.946] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMTMPL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADMTMPL.DLL", cchWideChar=11, lpMultiByteStr=0xb358f8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADMTMPL.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.946] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADPROVIDER.DLL", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0035.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADPROVIDER.DLL", cchWideChar=14, lpMultiByteStr=0xb358b0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 14 [0035.946] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDP.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDP.DLL", cchWideChar=10, lpMultiByteStr=0xb358f8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSLDP.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.946] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDPC.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSLDPC.DLL", cchWideChar=11, lpMultiByteStr=0xb358b0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSLDPC.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.946] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSMSEXT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSMSEXT.DLL", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSMSEXT.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.946] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSNT.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.946] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADSNT.DLL", cchWideChar=9, lpMultiByteStr=0xb358b0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADSNT.DLL", lpUsedDefaultChar=0x0) returned 9 [0035.946] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.947] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADTSCHEMA.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0035.947] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADTSCHEMA.DLL", cchWideChar=13, lpMultiByteStr=0xb358f8, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADTSCHEMA.DLL", lpUsedDefaultChar=0x0) returned 13 [0035.947] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.947] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVAPI32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.947] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVAPI32.DLL", cchWideChar=12, lpMultiByteStr=0xb358b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADVAPI32.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.947] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.947] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVPACK.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.947] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ADVPACK.DLL", cchWideChar=11, lpMultiByteStr=0xb358f8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ADVPACK.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.947] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.947] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AECACHE.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.947] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AECACHE.DLL", cchWideChar=11, lpMultiByteStr=0xb358b0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AECACHE.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.947] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.947] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AEEVTS.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.947] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AEEVTS.DLL", cchWideChar=10, lpMultiByteStr=0xb358f8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AEEVTS.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.947] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.947] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALTTAB.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.947] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALTTAB.DLL", cchWideChar=10, lpMultiByteStr=0xb358b0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALTTAB.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.947] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.947] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMSTREAM.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.947] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMSTREAM.DLL", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AMSTREAM.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.947] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.947] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMXREAD.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.947] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AMXREAD.DLL", cchWideChar=11, lpMultiByteStr=0xb358b0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AMXREAD.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.947] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.947] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APDS.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APDS.DLL", cchWideChar=8, lpMultiByteStr=0xb358f8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APDS.DLL", lpUsedDefaultChar=0x0) returned 8 [0035.948] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-CONSOLE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0035.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-CONSOLE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0xb358b0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-CONSOLE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0035.948] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DATETIME-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0035.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DATETIME-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xb358f8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-DATETIME-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0035.948] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DEBUG-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0035.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DEBUG-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0xb358b0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-DEBUG-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0035.948] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DELAYLOAD-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0035.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-DELAYLOAD-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0xb358f8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-DELAYLOAD-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0035.948] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0035.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xb358b0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-ERRORHANDLING-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0035.948] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FIBERS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FIBERS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb358f8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FIBERS-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.948] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0035.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xb358b0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FILE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0035.948] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-2-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0035.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L1-2-0.DLL", cchWideChar=31, lpMultiByteStr=0xb358f8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FILE-L1-2-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0035.949] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L2-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0035.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-FILE-L2-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xb358b0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-FILE-L2-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0035.949] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HANDLE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HANDLE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb358f8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-HANDLE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.949] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HEAP-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0035.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-HEAP-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xb358b0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-HEAP-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0035.949] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-INTERLOCKED-L1-1-0.DLL", cchWideChar=38, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 38 [0035.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-INTERLOCKED-L1-1-0.DLL", cchWideChar=38, lpMultiByteStr=0xb358f8, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-INTERLOCKED-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 38 [0035.949] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-IO-L1-1-0.DLL", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0035.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-IO-L1-1-0.DLL", cchWideChar=29, lpMultiByteStr=0xb358b0, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-IO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 29 [0035.949] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0035.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xb358f8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LIBRARYLOADER-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0035.949] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0035.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0xb358b0, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LOCALIZATION-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 39 [0035.949] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-2-0.DLL", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0035.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALIZATION-L1-2-0.DLL", cchWideChar=39, lpMultiByteStr=0xb358f8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LOCALIZATION-L1-2-0.DLL", lpUsedDefaultChar=0x0) returned 39 [0035.949] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.950] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALREGISTRY-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0035.950] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-LOCALREGISTRY-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xb358b0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-LOCALREGISTRY-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0035.950] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.950] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MEMORY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.950] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MEMORY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb358f8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-MEMORY-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.950] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.950] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MISC-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0035.950] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-MISC-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xb358b0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-MISC-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0035.950] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.950] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-NAMEDPIPE-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0035.950] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-NAMEDPIPE-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0xb358f8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-NAMEDPIPE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0035.950] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.950] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0.DLL", cchWideChar=45, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 45 [0035.950] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0.DLL", cchWideChar=45, lpMultiByteStr=0xb358b0, cbMultiByte=45, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROCESSENVIRONMENT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 45 [0035.950] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.950] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0035.950] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL", cchWideChar=41, lpMultiByteStr=0xb358f8, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 41 [0035.950] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.950] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1.DLL", cchWideChar=41, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 41 [0035.950] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1.DLL", cchWideChar=41, lpMultiByteStr=0xb358b0, cbMultiByte=41, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROCESSTHREADS-L1-1-1.DLL", lpUsedDefaultChar=0x0) returned 41 [0035.950] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROFILE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-PROFILE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0xb358f8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-PROFILE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0035.951] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-RTLSUPPORT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-RTLSUPPORT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0xb358b0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-RTLSUPPORT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 37 [0035.951] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-STRING-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-STRING-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb358f8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-STRING-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.951] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0xb358b0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-SYNCH-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0035.951] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-2-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYNCH-L1-2-0.DLL", cchWideChar=32, lpMultiByteStr=0xb358f8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-SYNCH-L1-2-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0035.951] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYSINFO-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-SYSINFO-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0xb358b0, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-SYSINFO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0035.951] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-THREADPOOL-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-THREADPOOL-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0xb358f8, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-THREADPOOL-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 37 [0035.951] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-TIMEZONE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-TIMEZONE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xb358b0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-TIMEZONE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0035.951] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-UTIL-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-UTIL-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xb358f8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-UTIL-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0035.951] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.951] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.952] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb358b0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-XSTATE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.952] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.952] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L2-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.952] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CORE-XSTATE-L2-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb358f8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CORE-XSTATE-L2-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.952] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.952] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0035.952] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xb358b0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-CONIO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0035.952] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.952] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONVERT-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.952] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-CONVERT-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb358f8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-CONVERT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.952] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.952] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-ENVIRONMENT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0035.952] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-ENVIRONMENT-L1-1-0.DLL", cchWideChar=37, lpMultiByteStr=0xb358b0, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-ENVIRONMENT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 37 [0035.952] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.952] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-FILESYSTEM-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0035.952] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-FILESYSTEM-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0xb358f8, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-FILESYSTEM-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0035.952] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.952] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-HEAP-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0035.952] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-HEAP-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0xb358b0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-HEAP-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 30 [0035.952] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.952] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-LOCALE-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0035.952] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-LOCALE-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0xb358f8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-LOCALE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0035.953] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MATH-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MATH-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0xb358b0, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-MATH-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 30 [0035.953] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MULTIBYTE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-MULTIBYTE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xb358f8, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-MULTIBYTE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0035.953] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PRIVATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PRIVATE-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb358b0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-PRIVATE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.953] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PROCESS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-PROCESS-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb358f8, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-PROCESS-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.953] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb358b0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-RUNTIME-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.953] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STDIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STDIO-L1-1-0.DLL", cchWideChar=31, lpMultiByteStr=0xb358f8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-STDIO-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 31 [0035.953] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STRING-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-STRING-L1-1-0.DLL", cchWideChar=32, lpMultiByteStr=0xb358b0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-STRING-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 32 [0035.953] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-TIME-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-TIME-L1-1-0.DLL", cchWideChar=30, lpMultiByteStr=0xb358f8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-TIME-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 30 [0035.953] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-UTILITY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 33 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-CRT-UTILITY-L1-1-0.DLL", cchWideChar=33, lpMultiByteStr=0xb358b0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-CRT-UTILITY-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 33 [0035.953] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-EVENTING-PROVIDER-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0035.953] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-EVENTING-PROVIDER-L1-1-0.DLL", cchWideChar=39, lpMultiByteStr=0xb358f8, cbMultiByte=39, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-EVENTING-PROVIDER-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 39 [0035.954] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-BASE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-BASE-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xb358b0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SECURITY-BASE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0035.954] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xb358f8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SECURITY-LSALOOKUP-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0035.954] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 35 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL", cchWideChar=35, lpMultiByteStr=0xb358b0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SECURITY-SDDL-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 35 [0035.954] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-CORE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 34 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-CORE-L1-1-0.DLL", cchWideChar=34, lpMultiByteStr=0xb358f8, cbMultiByte=34, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-CORE-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 34 [0035.954] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xb358b0, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-MANAGEMENT-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0035.954] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL", cchWideChar=40, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 40 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL", cchWideChar=40, lpMultiByteStr=0xb358f8, cbMultiByte=40, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-MANAGEMENT-L2-1-0.DLL", lpUsedDefaultChar=0x0) returned 40 [0035.954] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 36 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL", cchWideChar=36, lpMultiByteStr=0xb358b0, cbMultiByte=36, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="API-MS-WIN-SERVICE-WINSVC-L1-1-0.DLL", lpUsedDefaultChar=0x0) returned 36 [0035.954] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APILOGEN.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APILOGEN.DLL", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APILOGEN.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.954] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APIRCL.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APIRCL.DLL", cchWideChar=10, lpMultiByteStr=0xb358b0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APIRCL.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.954] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APISETSCHEMA.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.954] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APISETSCHEMA.DLL", cchWideChar=16, lpMultiByteStr=0xb358f8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APISETSCHEMA.DLL", lpUsedDefaultChar=0x0) returned 16 [0035.955] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHELP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHELP.DLL", cchWideChar=11, lpMultiByteStr=0xb358b0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPHELP.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.955] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHLPDM.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPHLPDM.DLL", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPHLPDM.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.955] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDAPI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDAPI.DLL", cchWideChar=12, lpMultiByteStr=0xb358b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPIDAPI.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.955] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDPOLICYENGINEAPI.DLL", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPIDPOLICYENGINEAPI.DLL", cchWideChar=24, lpMultiByteStr=0xb358f8, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPIDPOLICYENGINEAPI.DLL", lpUsedDefaultChar=0x0) returned 24 [0035.955] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGMTS.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGMTS.DLL", cchWideChar=12, lpMultiByteStr=0xb358b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPMGMTS.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.955] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGR.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APPMGR.DLL", cchWideChar=10, lpMultiByteStr=0xb358f8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APPMGR.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.955] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APSS.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="APSS.DLL", cchWideChar=8, lpMultiByteStr=0xb358b0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="APSS.DLL", lpUsedDefaultChar=0x0) returned 8 [0035.955] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASFERROR.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASFERROR.DLL", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASFERROR.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.955] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASPNET_COUNTERS.DLL", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASPNET_COUNTERS.DLL", cchWideChar=19, lpMultiByteStr=0xb358b0, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASPNET_COUNTERS.DLL", lpUsedDefaultChar=0x0) returned 19 [0035.955] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASYCFILT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.955] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ASYCFILT.DLL", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ASYCFILT.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.956] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL.DLL", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL.DLL", cchWideChar=7, lpMultiByteStr=0xb358b0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATL.DLL", lpUsedDefaultChar=0x0) returned 7 [0035.956] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL100.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL100.DLL", cchWideChar=10, lpMultiByteStr=0xb358f8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATL100.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.956] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL110.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATL110.DLL", cchWideChar=10, lpMultiByteStr=0xb358b0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATL110.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.956] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMFD.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMFD.DLL", cchWideChar=9, lpMultiByteStr=0xb358f8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATMFD.DLL", lpUsedDefaultChar=0x0) returned 9 [0035.956] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMLIB.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ATMLIB.DLL", cchWideChar=10, lpMultiByteStr=0xb358b0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ATMLIB.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.956] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIODEV.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIODEV.DLL", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIODEV.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.956] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOENG.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOENG.DLL", cchWideChar=12, lpMultiByteStr=0xb358b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIOENG.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.956] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOKSE.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOKSE.DLL", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIOKSE.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.956] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOSES.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDIOSES.DLL", cchWideChar=12, lpMultiByteStr=0xb358b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDIOSES.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.956] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITNATIVESNAPIN.DLL", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0035.956] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITNATIVESNAPIN.DLL", cchWideChar=21, lpMultiByteStr=0xb358f8, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDITNATIVESNAPIN.DLL", lpUsedDefaultChar=0x0) returned 21 [0035.957] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLICYGPINTEROP.DLL", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLICYGPINTEROP.DLL", cchWideChar=24, lpMultiByteStr=0xb358b0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDITPOLICYGPINTEROP.DLL", lpUsedDefaultChar=0x0) returned 24 [0035.957] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLMSG.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUDITPOLMSG.DLL", cchWideChar=15, lpMultiByteStr=0xb358f8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUDITPOLMSG.DLL", lpUsedDefaultChar=0x0) returned 15 [0035.957] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWCFG.DLL", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWCFG.DLL", cchWideChar=13, lpMultiByteStr=0xb358b0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWCFG.DLL", lpUsedDefaultChar=0x0) returned 13 [0035.957] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWGP.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWGP.DLL", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWGP.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.957] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWSNAPIN.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWSNAPIN.DLL", cchWideChar=16, lpMultiByteStr=0xb358b0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWSNAPIN.DLL", lpUsedDefaultChar=0x0) returned 16 [0035.957] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWWIZFWK.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHFWWIZFWK.DLL", cchWideChar=16, lpMultiByteStr=0xb358f8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHFWWIZFWK.DLL", lpUsedDefaultChar=0x0) returned 16 [0035.957] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHUI.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHUI.DLL", cchWideChar=10, lpMultiByteStr=0xb358b0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHUI.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.957] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHZ.DLL", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTHZ.DLL", cchWideChar=9, lpMultiByteStr=0xb358f8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTHZ.DLL", lpUsedDefaultChar=0x0) returned 9 [0035.957] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTOPLAY.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUTOPLAY.DLL", cchWideChar=12, lpMultiByteStr=0xb358b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUTOPLAY.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.957] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYAPI.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0035.957] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYAPI.DLL", cchWideChar=23, lpMultiByteStr=0xb358f8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUXILIARYDISPLAYAPI.DLL", lpUsedDefaultChar=0x0) returned 23 [0035.958] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYCPL.DLL", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AUXILIARYDISPLAYCPL.DLL", cchWideChar=23, lpMultiByteStr=0xb358b0, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AUXILIARYDISPLAYCPL.DLL", lpUsedDefaultChar=0x0) returned 23 [0035.958] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVICAP32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVICAP32.DLL", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AVICAP32.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.958] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVIFIL32.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVIFIL32.DLL", cchWideChar=12, lpMultiByteStr=0xb358b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AVIFIL32.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.958] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVRT.DLL", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AVRT.DLL", cchWideChar=8, lpMultiByteStr=0xb358f8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AVRT.DLL", lpUsedDefaultChar=0x0) returned 8 [0035.958] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLES.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLES.DLL", cchWideChar=11, lpMultiByteStr=0xb358b0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AZROLES.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.958] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLEUI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZROLEUI.DLL", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AZROLEUI.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.958] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZSQLEXT.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AZSQLEXT.DLL", cchWideChar=12, lpMultiByteStr=0xb358b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AZSQLEXT.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.958] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BASECSP.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BASECSP.DLL", cchWideChar=11, lpMultiByteStr=0xb358f8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BASECSP.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.958] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BATMETER.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BATMETER.DLL", cchWideChar=12, lpMultiByteStr=0xb358b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BATMETER.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.958] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPT.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPT.DLL", cchWideChar=10, lpMultiByteStr=0xb358f8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCRYPT.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.959] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPTPRIMITIVES.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BCRYPTPRIMITIVES.DLL", cchWideChar=20, lpMultiByteStr=0xb358b0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BCRYPTPRIMITIVES.DLL", lpUsedDefaultChar=0x0) returned 20 [0035.959] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIDISPL.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIDISPL.DLL", cchWideChar=11, lpMultiByteStr=0xb358f8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIDISPL.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.959] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIOCREDPROV.DLL", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BIOCREDPROV.DLL", cchWideChar=15, lpMultiByteStr=0xb358b0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BIOCREDPROV.DLL", lpUsedDefaultChar=0x0) returned 15 [0035.959] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPERF.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPERF.DLL", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPERF.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.959] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX2.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX2.DLL", cchWideChar=12, lpMultiByteStr=0xb358b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX2.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.959] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX3.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX3.DLL", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX3.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.959] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX4.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX4.DLL", cchWideChar=12, lpMultiByteStr=0xb358b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX4.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.959] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX5.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX5.DLL", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX5.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.959] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX6.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BITSPRX6.DLL", cchWideChar=12, lpMultiByteStr=0xb358b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BITSPRX6.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.959] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BLACKBOX.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BLACKBOX.DLL", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BLACKBOX.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.959] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BOOTVID.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BOOTVID.DLL", cchWideChar=11, lpMultiByteStr=0xb358b0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BOOTVID.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.960] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWCLI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWCLI.DLL", cchWideChar=11, lpMultiByteStr=0xb358f8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BROWCLI.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.960] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWSEUI.DLL", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BROWSEUI.DLL", cchWideChar=12, lpMultiByteStr=0xb358b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BROWSEUI.DLL", lpUsedDefaultChar=0x0) returned 12 [0035.960] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BTPANUI.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BTPANUI.DLL", cchWideChar=11, lpMultiByteStr=0xb358f8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BTPANUI.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.960] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWCONTEXTHANDLER.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWCONTEXTHANDLER.DLL", cchWideChar=20, lpMultiByteStr=0xb358b0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BWCONTEXTHANDLER.DLL", lpUsedDefaultChar=0x0) returned 20 [0035.960] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWUNPAIRELEVATED.DLL", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BWUNPAIRELEVATED.DLL", cchWideChar=20, lpMultiByteStr=0xb358f8, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BWUNPAIRELEVATED.DLL", lpUsedDefaultChar=0x0) returned 20 [0035.960] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABINET.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABINET.DLL", cchWideChar=11, lpMultiByteStr=0xb358b0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABINET.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.960] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABVIEW.DLL", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CABVIEW.DLL", cchWideChar=11, lpMultiByteStr=0xb358f8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CABVIEW.DLL", lpUsedDefaultChar=0x0) returned 11 [0035.960] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPIPROVIDER.DLL", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPIPROVIDER.DLL", cchWideChar=16, lpMultiByteStr=0xb358b0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAPIPROVIDER.DLL", lpUsedDefaultChar=0x0) returned 16 [0035.960] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPISP.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.960] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CAPISP.DLL", cchWideChar=10, lpMultiByteStr=0xb358f8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CAPISP.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.960] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRV.DLL", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0035.961] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CATSRV.DLL", cchWideChar=10, lpMultiByteStr=0xb358b0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CATSRV.DLL", lpUsedDefaultChar=0x0) returned 10 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.961] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.962] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.963] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.964] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.964] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.964] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.964] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.964] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.964] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.964] FindNextFileW (in: hFindFile=0x2a3f88, lpFindFileData=0x151f5d8 | out: lpFindFileData=0x151f5d8) returned 1 [0035.965] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="psapi.dll", BaseAddress=0x151f84c | out: BaseAddress=0x151f84c*=0x77a10000) returned 0x0 [0035.965] FindClose (in: hFindFile=0x2a3f88 | out: hFindFile=0x2a3f88) returned 1 [0035.966] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="") returned 0x0 [0035.966] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.966] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.966] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.967] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.967] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.967] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.967] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.967] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\smss.exe") returned 0x31 [0035.967] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.967] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.967] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.967] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.967] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.967] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.967] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.967] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.967] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.967] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.967] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\wininit.exe") returned 0x34 [0035.967] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.967] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.967] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.967] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.967] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.968] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.968] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.968] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.968] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.968] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.968] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\services.exe") returned 0x35 [0035.968] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.968] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.968] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.968] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.968] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.968] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.968] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.968] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.968] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.968] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.968] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\lsass.exe") returned 0x32 [0035.968] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.968] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.968] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.968] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.968] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.968] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.968] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.968] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.968] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.968] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.969] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\lsm.exe") returned 0x30 [0035.969] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.969] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.969] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.969] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.969] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.969] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.969] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.969] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.969] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.969] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.969] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0035.969] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.969] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.969] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.969] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.969] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.969] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.969] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.969] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.969] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.969] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.969] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0035.969] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.969] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.969] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.970] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.970] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.970] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.970] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.970] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.970] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.970] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.970] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0035.970] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.970] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.970] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.970] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.970] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.970] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.970] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.970] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.970] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.970] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.970] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0035.970] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.970] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.970] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.970] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.970] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.970] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.970] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.970] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.971] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.971] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.971] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0035.971] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.971] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.971] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.971] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.971] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.971] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.971] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.971] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.971] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.971] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.971] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\audiodg.exe") returned 0x34 [0035.971] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.971] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.971] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.971] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.971] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.971] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.971] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.971] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.971] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.971] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.971] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0035.972] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.972] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.972] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.972] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.972] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.972] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.972] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.972] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.972] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.972] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.972] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0035.972] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.972] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.972] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.972] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.972] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.972] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.972] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.972] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.972] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.972] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.972] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\dwm.exe") returned 0x30 [0035.972] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.973] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.973] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.973] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.973] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.973] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.973] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.973] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.973] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.973] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.973] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\spoolsv.exe") returned 0x34 [0035.973] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.973] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.973] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.973] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.973] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.973] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.973] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.973] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.973] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.973] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.973] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\taskhost.exe") returned 0x35 [0035.973] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.973] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.973] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.973] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.973] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.973] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.974] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.974] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.974] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.974] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.974] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0035.974] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.974] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.974] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.974] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.974] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.974] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.974] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.974] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.974] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.974] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.974] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\taskeng.exe") returned 0x34 [0035.974] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.974] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.974] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.974] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.974] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.974] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.974] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.974] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0xb358b9 [0035.974] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0xb358c0 [0035.974] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.975] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\taskhost.exe") returned 0x35 [0035.975] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.975] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.975] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.975] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.975] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.975] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.975] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.975] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.975] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.975] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.975] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\explorer.exe") returned 0x2c [0035.975] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.975] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.975] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.975] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.975] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.975] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.975] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.975] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.975] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.975] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.975] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Microsoft Sync Framework\\connectionsdecade.exe") returned 0x54 [0035.975] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.975] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.975] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.975] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.976] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.976] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.976] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.976] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.976] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.976] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.976] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Reference Assemblies\\spectrum fs.exe") returned 0x50 [0035.976] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.976] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.976] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.976] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.976] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.976] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.976] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.976] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.976] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.976] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.976] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Common Files\\amounts_under.exe") returned 0x4a [0035.976] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.976] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.976] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.976] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.976] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.976] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.976] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.976] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.976] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.976] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.977] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Java\\emergency_limitation.exe") returned 0x49 [0035.977] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.977] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.977] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.977] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.977] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.977] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.977] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.977] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.977] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.977] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.977] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Windows Mail\\partnerships.exe") returned 0x49 [0035.978] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.978] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.978] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.978] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.978] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.978] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.978] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.978] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.978] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.978] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.978] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\MSBuild\\fit.exe") returned 0x3b [0035.978] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.978] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.978] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.978] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.978] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.978] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.978] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.978] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.978] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.978] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.978] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Windows Mail\\ob reid.exe") returned 0x44 [0035.979] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.979] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.979] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.979] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.979] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.979] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.979] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.979] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.979] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.979] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.979] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Internet Explorer\\antonio_done_cultures.exe") returned 0x51 [0035.979] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.979] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.979] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.979] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.979] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.979] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.979] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.979] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.979] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.979] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.979] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Java\\norfolk_trance_directive.exe") returned 0x4d [0035.979] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.979] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.979] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.979] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.979] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.979] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.980] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.980] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.980] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.980] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.980] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Uninstall Information\\cheese-further-reads.exe") returned 0x54 [0035.980] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.980] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.980] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.980] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.980] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.980] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.980] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.980] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.980] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.980] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.980] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Microsoft Analysis Services\\walking.exe") returned 0x4d [0035.980] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.980] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.980] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.980] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.980] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.980] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.980] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.980] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.980] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.980] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.980] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Windows Photo Viewer\\happiness.exe") returned 0x48 [0035.981] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.981] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.981] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.981] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.981] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.981] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.981] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.981] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.981] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.981] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.981] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Windows Media Player\\clubs_mobility_dive.exe") returned 0x58 [0035.981] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.981] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.981] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.981] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.981] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.981] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.981] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.981] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.981] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.981] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.981] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Mozilla Maintenance Service\\completing.exe") returned 0x56 [0035.981] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.981] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.981] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.982] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.982] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.982] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.982] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.982] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.982] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.982] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.982] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Windows Journal\\polished expressed.exe") returned 0x4c [0035.982] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.982] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.982] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.982] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.982] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.982] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.982] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.982] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.982] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.982] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.982] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Reference Assemblies\\need result.exe") returned 0x4a [0035.982] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.982] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.982] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.982] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.982] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.982] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.982] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.982] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.982] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.983] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.983] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Microsoft Sync Framework\\spring.exe") returned 0x49 [0035.983] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.983] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.983] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.983] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.983] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.983] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.983] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.983] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.983] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.983] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.983] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\MSBuild\\marvel.exe") returned 0x3e [0035.983] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.983] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.983] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.983] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.983] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.983] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.983] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.983] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.983] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.983] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.983] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Windows Media Player\\clicks plc.exe") returned 0x49 [0035.983] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.983] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.983] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.984] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.984] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.984] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.984] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.984] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.984] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.984] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.984] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\DVD Maker\\inter-angle.exe") returned 0x3f [0035.984] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.984] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.984] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.984] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.984] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.984] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.984] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.984] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.984] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.984] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.984] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Windows Portable Devices\\admit cellular.exe") returned 0x51 [0035.984] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.984] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.984] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.984] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.984] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.984] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.984] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.984] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.984] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.984] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.985] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft Analysis Services\\contractor.exe") returned 0x56 [0035.985] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.985] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.985] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.985] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.985] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.985] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.985] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.985] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.985] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.985] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.985] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Microsoft Office\\theta.exe") returned 0x40 [0035.985] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.985] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.985] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.985] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.985] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.985] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.985] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.985] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb358b9 [0035.985] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb358c0 [0035.985] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.985] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\csrss.exe") returned 0x32 [0035.985] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.985] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.985] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.985] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.986] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.986] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.986] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.986] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.986] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.986] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.986] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\conhost.exe") returned 0x34 [0035.986] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.986] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.986] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.986] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.986] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.986] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.986] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.986] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0xb358b9 [0035.986] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0xb358c0 [0035.986] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.986] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE") returned 0x59 [0035.986] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.986] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.986] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.986] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.986] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.986] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.986] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.986] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.986] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.987] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f864 | out: lpExitCode=0x151f864*=0x103) returned 1 [0035.987] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\VSSVC.exe") returned 0x32 [0035.987] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f84c | out: Wow64Process=0x151f84c) returned 1 [0035.987] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f85c | out: Wow64Process=0x151f85c) returned 1 [0035.987] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f858, ProcessInformationLength=0x4, ReturnLength=0x151f85c | out: ProcessInformation=0x151f858, ReturnLength=0x151f85c) returned 0x0 [0035.987] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878 | out: lpCreationTime=0x151f880, lpExitTime=0x151f878, lpKernelTime=0x151f878, lpUserTime=0x151f878) returned 1 [0035.987] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f848 | out: TokenHandle=0x151f848*=0x14c) returned 1 [0035.987] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f844 | out: TokenInformation=0x0, ReturnLength=0x151f844) returned 0 [0035.987] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb358b0, TokenInformationLength=0x14, ReturnLength=0x151f844 | out: TokenInformation=0xb358b0, ReturnLength=0x151f844) returned 1 [0035.987] GetSidSubAuthorityCount (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb358b9 [0035.987] GetSidSubAuthority (pSid=0xb358b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb358c0 [0035.987] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x151fc40 | out: TokenHandle=0x151fc40*=0x144) returned 0x0 [0035.987] NtAdjustPrivilegesToken (in: TokenHandle=0x144, DisableAllPrivileges=0, NewState=0x151fc44, BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 0x0 [0035.987] NtClose (Handle=0x144) returned 0x0 [0035.987] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x151fc40 | out: TokenHandle=0x151fc40*=0x144) returned 0x0 [0035.987] NtAdjustPrivilegesToken (in: TokenHandle=0x144, DisableAllPrivileges=0, NewState=0x151fc44, BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 0x0 [0035.987] NtClose (Handle=0x144) returned 0x0 [0035.987] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x144 [0035.989] Process32FirstW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0035.989] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0035.990] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="system", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.990] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="system", cchWideChar=6, lpMultiByteStr=0xae8ed8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="system", lpUsedDefaultChar=0x0) returned 6 [0035.990] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="System", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0035.990] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="System", cchWideChar=6, lpMultiByteStr=0xae8ed8, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="System", lpUsedDefaultChar=0x0) returned 6 [0035.990] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x104, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0035.990] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smss.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.990] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smss.exe", cchWideChar=8, lpMultiByteStr=0xae8fb0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smss.exe", lpUsedDefaultChar=0x0) returned 8 [0035.990] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smss.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0035.990] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smss.exe", cchWideChar=8, lpMultiByteStr=0xae8fb0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smss.exe", lpUsedDefaultChar=0x0) returned 8 [0035.991] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0035.991] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.991] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0xae9040, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 9 [0035.991] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.991] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0xae9040, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 9 [0035.991] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x140, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0035.992] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.992] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=11, lpMultiByteStr=0xae9088, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wininit.exe", lpUsedDefaultChar=0x0) returned 11 [0035.992] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.992] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=11, lpMultiByteStr=0xae9088, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wininit.exe", lpUsedDefaultChar=0x0) returned 11 [0035.992] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x184, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0035.992] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.992] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0xae90d0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 9 [0035.992] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.992] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0xae90d0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 9 [0035.993] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0035.993] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="winlogon.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.993] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="winlogon.exe", cchWideChar=12, lpMultiByteStr=0xae9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winlogon.exe", lpUsedDefaultChar=0x0) returned 12 [0035.993] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="winlogon.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.993] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="winlogon.exe", cchWideChar=12, lpMultiByteStr=0xae9118, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winlogon.exe", lpUsedDefaultChar=0x0) returned 12 [0035.993] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0035.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=12, lpMultiByteStr=0xae9160, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="services.exe", lpUsedDefaultChar=0x0) returned 12 [0035.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0035.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=12, lpMultiByteStr=0xae9160, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="services.exe", lpUsedDefaultChar=0x0) returned 12 [0035.994] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x178, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0035.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0xae91a8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 9 [0035.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0035.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0xae91a8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 9 [0035.994] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x178, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0035.995] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsm.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.995] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsm.exe", cchWideChar=7, lpMultiByteStr=0xae91f0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsm.exe", lpUsedDefaultChar=0x0) returned 7 [0035.995] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsm.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0035.995] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsm.exe", cchWideChar=7, lpMultiByteStr=0xae91f0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsm.exe", lpUsedDefaultChar=0x0) returned 7 [0035.995] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x254, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9238, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9238, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.996] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x294, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9280, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9280, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.997] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae92c8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.997] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae92c8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.997] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x310, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae8e48, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae8e48, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.998] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x350, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x25, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9310, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae9310, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0035.998] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0035.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=11, lpMultiByteStr=0xae9358, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audiodg.exe", lpUsedDefaultChar=0x0) returned 11 [0035.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=11, lpMultiByteStr=0xae9358, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audiodg.exe", lpUsedDefaultChar=0x0) returned 11 [0035.999] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xf0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0035.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0035.999] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae93a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0036.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0036.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae93a0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0036.000] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x268, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0036.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae93e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0036.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0036.000] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae93e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0036.000] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x310, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0036.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dwm.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0036.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dwm.exe", cchWideChar=7, lpMultiByteStr=0xae8ed8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dwm.exe", lpUsedDefaultChar=0x0) returned 7 [0036.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dwm.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0036.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dwm.exe", cchWideChar=7, lpMultiByteStr=0xae8ed8, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dwm.exe", lpUsedDefaultChar=0x0) returned 7 [0036.001] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x460, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1c, th32ParentProcessID=0x44c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0036.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0036.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0xae9478, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exe", lpUsedDefaultChar=0x0) returned 12 [0036.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0036.001] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0xae9478, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exe", lpUsedDefaultChar=0x0) returned 12 [0036.002] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0036.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0036.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0xae93e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spoolsv.exe", lpUsedDefaultChar=0x0) returned 11 [0036.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0036.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0xae93e8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spoolsv.exe", lpUsedDefaultChar=0x0) returned 11 [0036.002] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0036.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0036.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0xae9430, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhost.exe", lpUsedDefaultChar=0x0) returned 12 [0036.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0036.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0xae9430, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhost.exe", lpUsedDefaultChar=0x0) returned 12 [0036.003] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0036.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0036.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae99d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0036.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0036.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xae99d0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0036.003] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x610, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x350, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0036.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskeng.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0036.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskeng.exe", cchWideChar=11, lpMultiByteStr=0xae9940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskeng.exe", lpUsedDefaultChar=0x0) returned 11 [0036.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskeng.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0036.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskeng.exe", cchWideChar=11, lpMultiByteStr=0xae9940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskeng.exe", lpUsedDefaultChar=0x0) returned 11 [0036.004] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x474, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1d4, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0036.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0036.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0xae94c0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhost.exe", lpUsedDefaultChar=0x0) returned 12 [0036.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0036.004] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0xae94c0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhost.exe", lpUsedDefaultChar=0x0) returned 12 [0036.004] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x738, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="connectionsdecade.exe")) returned 1 [0036.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connectionsdecade.exe", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0036.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connectionsdecade.exe", cchWideChar=21, lpMultiByteStr=0xae9508, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="connectionsdecade.exe", lpUsedDefaultChar=0x0) returned 21 [0036.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connectionsdecade.exe", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0036.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connectionsdecade.exe", cchWideChar=21, lpMultiByteStr=0xae9508, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="connectionsdecade.exe", lpUsedDefaultChar=0x0) returned 21 [0036.005] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x320, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="spectrum fs.exe")) returned 1 [0036.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spectrum fs.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0036.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spectrum fs.exe", cchWideChar=15, lpMultiByteStr=0xae9550, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spectrum fs.exe", lpUsedDefaultChar=0x0) returned 15 [0036.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spectrum fs.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0036.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spectrum fs.exe", cchWideChar=15, lpMultiByteStr=0xae9550, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spectrum fs.exe", lpUsedDefaultChar=0x0) returned 15 [0036.006] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x90, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="amounts_under.exe")) returned 1 [0036.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amounts_under.exe", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0036.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amounts_under.exe", cchWideChar=17, lpMultiByteStr=0xae9598, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="amounts_under.exe", lpUsedDefaultChar=0x0) returned 17 [0036.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amounts_under.exe", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0036.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="amounts_under.exe", cchWideChar=17, lpMultiByteStr=0xae9598, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="amounts_under.exe", lpUsedDefaultChar=0x0) returned 17 [0036.006] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x37c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="emergency_limitation.exe")) returned 1 [0036.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="emergency_limitation.exe", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0036.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="emergency_limitation.exe", cchWideChar=24, lpMultiByteStr=0xae95e0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="emergency_limitation.exe", lpUsedDefaultChar=0x0) returned 24 [0036.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="emergency_limitation.exe", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0036.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="emergency_limitation.exe", cchWideChar=24, lpMultiByteStr=0xae95e0, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="emergency_limitation.exe", lpUsedDefaultChar=0x0) returned 24 [0036.007] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x344, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="partnerships.exe")) returned 1 [0036.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="partnerships.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0036.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="partnerships.exe", cchWideChar=16, lpMultiByteStr=0xae9628, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="partnerships.exe", lpUsedDefaultChar=0x0) returned 16 [0036.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="partnerships.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0036.007] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="partnerships.exe", cchWideChar=16, lpMultiByteStr=0xae9628, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="partnerships.exe", lpUsedDefaultChar=0x0) returned 16 [0036.008] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="fit.exe")) returned 1 [0036.008] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fit.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0036.008] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fit.exe", cchWideChar=7, lpMultiByteStr=0xae9670, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fit.exe", lpUsedDefaultChar=0x0) returned 7 [0036.008] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fit.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0036.008] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fit.exe", cchWideChar=7, lpMultiByteStr=0xae9670, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fit.exe", lpUsedDefaultChar=0x0) returned 7 [0036.008] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="ob reid.exe")) returned 1 [0036.009] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ob reid.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0036.009] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ob reid.exe", cchWideChar=11, lpMultiByteStr=0xae96b8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ob reid.exe", lpUsedDefaultChar=0x0) returned 11 [0036.009] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ob reid.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0036.009] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ob reid.exe", cchWideChar=11, lpMultiByteStr=0xae96b8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ob reid.exe", lpUsedDefaultChar=0x0) returned 11 [0036.009] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x340, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="antonio_done_cultures.exe")) returned 1 [0036.009] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="antonio_done_cultures.exe", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0036.009] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="antonio_done_cultures.exe", cchWideChar=25, lpMultiByteStr=0xae9700, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="antonio_done_cultures.exe", lpUsedDefaultChar=0x0) returned 25 [0036.009] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="antonio_done_cultures.exe", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0036.009] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="antonio_done_cultures.exe", cchWideChar=25, lpMultiByteStr=0xae9700, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="antonio_done_cultures.exe", lpUsedDefaultChar=0x0) returned 25 [0036.009] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="norfolk_trance_directive.exe")) returned 1 [0036.010] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="norfolk_trance_directive.exe", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0036.010] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="norfolk_trance_directive.exe", cchWideChar=28, lpMultiByteStr=0xae9748, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="norfolk_trance_directive.exe", lpUsedDefaultChar=0x0) returned 28 [0036.010] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="norfolk_trance_directive.exe", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0036.010] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="norfolk_trance_directive.exe", cchWideChar=28, lpMultiByteStr=0xae9748, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="norfolk_trance_directive.exe", lpUsedDefaultChar=0x0) returned 28 [0036.010] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="cheese-further-reads.exe")) returned 1 [0036.010] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cheese-further-reads.exe", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0036.010] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cheese-further-reads.exe", cchWideChar=24, lpMultiByteStr=0xae9790, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cheese-further-reads.exe", lpUsedDefaultChar=0x0) returned 24 [0036.011] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cheese-further-reads.exe", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0036.011] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cheese-further-reads.exe", cchWideChar=24, lpMultiByteStr=0xae9790, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cheese-further-reads.exe", lpUsedDefaultChar=0x0) returned 24 [0036.011] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x708, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="walking.exe")) returned 1 [0036.011] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="walking.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0036.011] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="walking.exe", cchWideChar=11, lpMultiByteStr=0xae97d8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="walking.exe", lpUsedDefaultChar=0x0) returned 11 [0036.011] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="walking.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0036.011] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="walking.exe", cchWideChar=11, lpMultiByteStr=0xae97d8, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="walking.exe", lpUsedDefaultChar=0x0) returned 11 [0036.011] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="happiness.exe")) returned 1 [0036.012] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="happiness.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0036.012] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="happiness.exe", cchWideChar=13, lpMultiByteStr=0xae9820, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="happiness.exe", lpUsedDefaultChar=0x0) returned 13 [0036.012] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="happiness.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0036.012] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="happiness.exe", cchWideChar=13, lpMultiByteStr=0xae9820, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="happiness.exe", lpUsedDefaultChar=0x0) returned 13 [0036.012] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x180, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="clubs_mobility_dive.exe")) returned 1 [0036.012] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clubs_mobility_dive.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0036.012] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clubs_mobility_dive.exe", cchWideChar=23, lpMultiByteStr=0xae9868, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clubs_mobility_dive.exe", lpUsedDefaultChar=0x0) returned 23 [0036.012] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clubs_mobility_dive.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0036.012] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clubs_mobility_dive.exe", cchWideChar=23, lpMultiByteStr=0xae9868, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clubs_mobility_dive.exe", lpUsedDefaultChar=0x0) returned 23 [0036.012] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="completing.exe")) returned 1 [0036.013] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="completing.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0036.013] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="completing.exe", cchWideChar=14, lpMultiByteStr=0xae98f8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="completing.exe", lpUsedDefaultChar=0x0) returned 14 [0036.013] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="completing.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0036.013] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="completing.exe", cchWideChar=14, lpMultiByteStr=0xae98f8, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="completing.exe", lpUsedDefaultChar=0x0) returned 14 [0036.013] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x730, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="polished expressed.exe")) returned 1 [0036.013] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="polished expressed.exe", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0036.014] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="polished expressed.exe", cchWideChar=22, lpMultiByteStr=0xae98b0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="polished expressed.exe", lpUsedDefaultChar=0x0) returned 22 [0036.014] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="polished expressed.exe", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0036.014] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="polished expressed.exe", cchWideChar=22, lpMultiByteStr=0xae98b0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="polished expressed.exe", lpUsedDefaultChar=0x0) returned 22 [0036.014] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="need result.exe")) returned 1 [0036.020] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="need result.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0036.020] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="need result.exe", cchWideChar=15, lpMultiByteStr=0xae9988, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="need result.exe", lpUsedDefaultChar=0x0) returned 15 [0036.020] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="need result.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0036.020] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="need result.exe", cchWideChar=15, lpMultiByteStr=0xae9988, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="need result.exe", lpUsedDefaultChar=0x0) returned 15 [0036.020] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="spring.exe")) returned 1 [0036.020] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spring.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0036.021] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spring.exe", cchWideChar=10, lpMultiByteStr=0xb353e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spring.exe", lpUsedDefaultChar=0x0) returned 10 [0036.021] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spring.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0036.021] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spring.exe", cchWideChar=10, lpMultiByteStr=0xb353e8, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spring.exe", lpUsedDefaultChar=0x0) returned 10 [0036.021] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x648, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="marvel.exe")) returned 1 [0036.021] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="marvel.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0036.021] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="marvel.exe", cchWideChar=10, lpMultiByteStr=0xb35358, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="marvel.exe", lpUsedDefaultChar=0x0) returned 10 [0036.021] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="marvel.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0036.021] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="marvel.exe", cchWideChar=10, lpMultiByteStr=0xb35358, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="marvel.exe", lpUsedDefaultChar=0x0) returned 10 [0036.021] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x624, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="clicks plc.exe")) returned 1 [0036.022] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clicks plc.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0036.022] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clicks plc.exe", cchWideChar=14, lpMultiByteStr=0xb35310, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clicks plc.exe", lpUsedDefaultChar=0x0) returned 14 [0036.022] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clicks plc.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0036.022] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clicks plc.exe", cchWideChar=14, lpMultiByteStr=0xb35310, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clicks plc.exe", lpUsedDefaultChar=0x0) returned 14 [0036.022] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="inter-angle.exe")) returned 1 [0036.022] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="inter-angle.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0036.022] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="inter-angle.exe", cchWideChar=15, lpMultiByteStr=0xb352c8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="inter-angle.exe", lpUsedDefaultChar=0x0) returned 15 [0036.022] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="inter-angle.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0036.022] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="inter-angle.exe", cchWideChar=15, lpMultiByteStr=0xb352c8, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="inter-angle.exe", lpUsedDefaultChar=0x0) returned 15 [0036.023] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x374, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="admit cellular.exe")) returned 1 [0036.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="admit cellular.exe", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0036.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="admit cellular.exe", cchWideChar=18, lpMultiByteStr=0xb35280, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="admit cellular.exe", lpUsedDefaultChar=0x0) returned 18 [0036.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="admit cellular.exe", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0036.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="admit cellular.exe", cchWideChar=18, lpMultiByteStr=0xb35280, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="admit cellular.exe", lpUsedDefaultChar=0x0) returned 18 [0036.023] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="contractor.exe")) returned 1 [0036.025] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="contractor.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0036.025] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="contractor.exe", cchWideChar=14, lpMultiByteStr=0xb35238, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="contractor.exe", lpUsedDefaultChar=0x0) returned 14 [0036.025] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="contractor.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0036.025] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="contractor.exe", cchWideChar=14, lpMultiByteStr=0xb35238, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="contractor.exe", lpUsedDefaultChar=0x0) returned 14 [0036.025] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x460, pcPriClassBase=8, dwFlags=0x0, szExeFile="theta.exe")) returned 1 [0036.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="theta.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0036.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="theta.exe", cchWideChar=9, lpMultiByteStr=0xb358b0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="theta.exe", lpUsedDefaultChar=0x0) returned 9 [0036.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="theta.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0036.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="theta.exe", cchWideChar=9, lpMultiByteStr=0xb358b0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="theta.exe", lpUsedDefaultChar=0x0) returned 9 [0036.026] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x954, pcPriClassBase=8, dwFlags=0x0, szExeFile="vssadmin.exe")) returned 1 [0036.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vssadmin.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0036.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vssadmin.exe", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin.exe", lpUsedDefaultChar=0x0) returned 12 [0036.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vssadmin.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0036.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vssadmin.exe", cchWideChar=12, lpMultiByteStr=0xb358f8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssadmin.exe", lpUsedDefaultChar=0x0) returned 12 [0036.026] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x184, pcPriClassBase=8, dwFlags=0x0, szExeFile="conhost.exe")) returned 1 [0036.027] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="conhost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0036.027] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="conhost.exe", cchWideChar=11, lpMultiByteStr=0xb35940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="conhost.exe", lpUsedDefaultChar=0x0) returned 11 [0036.027] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="conhost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0036.027] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="conhost.exe", cchWideChar=11, lpMultiByteStr=0xb35940, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="conhost.exe", lpUsedDefaultChar=0x0) returned 11 [0036.027] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x97c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSE.EXE")) returned 1 [0036.028] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ose.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0036.028] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ose.exe", cchWideChar=7, lpMultiByteStr=0xb35988, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ose.exe", lpUsedDefaultChar=0x0) returned 7 [0036.028] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="OSE.EXE", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0036.028] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="OSE.EXE", cchWideChar=7, lpMultiByteStr=0xb35988, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OSE.EXE", lpUsedDefaultChar=0x0) returned 7 [0036.028] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 1 [0036.029] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vssvc.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0036.029] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="vssvc.exe", cchWideChar=9, lpMultiByteStr=0xb359d0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="vssvc.exe", lpUsedDefaultChar=0x0) returned 9 [0036.029] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VSSVC.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0036.029] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VSSVC.exe", cchWideChar=9, lpMultiByteStr=0xb359d0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VSSVC.exe", lpUsedDefaultChar=0x0) returned 9 [0036.029] Process32NextW (in: hSnapshot=0x144, lppe=0x151f8c0 | out: lppe=0x151f8c0*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9ac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x1d4, pcPriClassBase=8, dwFlags=0x0, szExeFile="VSSVC.exe")) returned 0 [0036.029] NtOpenProcess (in: ProcessHandle=0x151f828, DesiredAccess=0x400, ObjectAttributes=0x151f834*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x151f82c*(UniqueProcess=0x4, UniqueThread=0x0) | out: ProcessHandle=0x151f828*=0x0) returned 0xc0000022 [0036.029] NtOpenProcess (in: ProcessHandle=0x151f828, DesiredAccess=0x1000, ObjectAttributes=0x151f834*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x151f82c*(UniqueProcess=0x4, UniqueThread=0x0) | out: ProcessHandle=0x151f828*=0x148) returned 0x0 [0036.029] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.029] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="") returned 0x0 [0036.029] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.029] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.029] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.029] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.030] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.030] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.030] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.030] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.030] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.030] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.030] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\smss.exe") returned 0x31 [0036.030] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.030] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.030] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.030] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.030] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.030] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.030] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.030] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.030] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.030] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.030] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\wininit.exe") returned 0x34 [0036.030] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.030] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.030] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.030] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.030] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.030] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.030] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.030] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.030] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.031] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.031] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\services.exe") returned 0x35 [0036.031] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.031] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.031] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.031] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.031] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.031] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.031] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.031] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.031] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.031] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.031] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\lsass.exe") returned 0x32 [0036.031] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.031] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.031] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.031] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.031] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.031] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.031] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.031] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.031] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.031] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.031] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\lsm.exe") returned 0x30 [0036.031] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.032] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.032] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.032] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.032] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.032] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.032] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.032] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.032] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.032] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.032] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0036.032] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.032] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.032] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.032] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.032] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.032] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.032] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.032] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.032] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.032] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.032] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0036.032] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.032] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.032] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.032] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.032] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.032] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.033] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.033] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.033] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.033] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.033] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0036.033] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.033] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.033] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.033] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.033] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.033] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.033] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.033] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.033] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.033] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.033] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0036.033] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.033] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.033] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.033] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.033] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.033] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.033] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.033] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.033] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.033] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.034] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0036.034] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.034] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.034] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.034] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.034] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.034] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.034] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.034] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.034] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.034] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.034] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\audiodg.exe") returned 0x34 [0036.034] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.034] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.034] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.034] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.034] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.034] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.034] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.034] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.034] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.034] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.034] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0036.034] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.034] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.034] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.034] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.035] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.035] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.035] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.035] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.035] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.035] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.035] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0036.035] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.035] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.035] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.035] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.035] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.035] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.035] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.035] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.035] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.035] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.035] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\dwm.exe") returned 0x30 [0036.035] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.035] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.035] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.035] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.035] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.035] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.036] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.036] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.036] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.036] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.036] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\spoolsv.exe") returned 0x34 [0036.036] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.036] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.036] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.036] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.036] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.036] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.036] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.036] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.036] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.036] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.036] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\taskhost.exe") returned 0x35 [0036.036] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.036] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.036] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.036] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.036] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.036] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.036] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.036] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.036] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.037] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.037] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0036.037] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.037] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.037] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.037] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.037] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.037] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.037] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.037] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.037] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.037] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.037] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\taskeng.exe") returned 0x34 [0036.037] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.037] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.037] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.037] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.037] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.037] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.037] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.037] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0xb35a21 [0036.037] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0xb35a28 [0036.037] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.037] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\taskhost.exe") returned 0x35 [0036.038] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.038] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.038] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.038] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.038] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.038] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.038] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.038] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.038] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.038] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.038] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\explorer.exe") returned 0x2c [0036.038] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.038] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.038] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.038] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.038] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.070] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.070] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.070] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.070] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.070] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.070] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Microsoft Sync Framework\\connectionsdecade.exe") returned 0x54 [0036.070] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.070] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.070] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.070] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.070] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.070] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.070] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.070] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.070] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.070] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.071] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Reference Assemblies\\spectrum fs.exe") returned 0x50 [0036.071] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.071] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.071] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.071] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.071] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.071] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.071] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.071] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.071] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.071] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.071] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Common Files\\amounts_under.exe") returned 0x4a [0036.071] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.071] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.071] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.071] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.071] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.071] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.071] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.071] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.071] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.071] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.071] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Java\\emergency_limitation.exe") returned 0x49 [0036.072] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.072] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.072] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.072] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.072] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.072] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.072] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.072] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.072] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.072] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.072] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Windows Mail\\partnerships.exe") returned 0x49 [0036.072] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.072] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.072] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.072] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.072] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.072] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.072] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.072] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.072] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.072] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.072] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\MSBuild\\fit.exe") returned 0x3b [0036.072] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.072] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.072] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.072] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.072] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.073] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.073] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.073] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.073] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.073] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.073] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Windows Mail\\ob reid.exe") returned 0x44 [0036.073] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.073] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.073] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.073] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.073] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.073] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.073] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.073] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.073] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.073] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.073] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Internet Explorer\\antonio_done_cultures.exe") returned 0x51 [0036.073] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.073] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.073] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.073] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.073] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.073] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.073] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.073] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.073] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.073] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.074] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Java\\norfolk_trance_directive.exe") returned 0x4d [0036.074] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.074] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.074] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.074] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.074] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.074] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.074] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.074] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.074] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.074] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.074] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Uninstall Information\\cheese-further-reads.exe") returned 0x54 [0036.074] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.074] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.074] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.074] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.074] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.074] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.074] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.074] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.074] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.074] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.074] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Microsoft Analysis Services\\walking.exe") returned 0x4d [0036.074] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.075] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.075] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.075] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.075] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.075] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.075] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.075] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.075] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.075] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.075] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Windows Photo Viewer\\happiness.exe") returned 0x48 [0036.075] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.075] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.075] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.075] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.075] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.075] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.075] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.075] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.075] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.075] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.075] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Windows Media Player\\clubs_mobility_dive.exe") returned 0x58 [0036.075] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.075] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.075] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.075] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.075] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.076] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.076] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.076] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.076] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.076] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.076] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Mozilla Maintenance Service\\completing.exe") returned 0x56 [0036.076] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.076] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.076] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.076] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.076] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.076] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.076] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.076] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.076] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.076] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.076] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Windows Journal\\polished expressed.exe") returned 0x4c [0036.076] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.076] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.076] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.076] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.076] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.076] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.076] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.076] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.076] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.076] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.077] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Reference Assemblies\\need result.exe") returned 0x4a [0036.077] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.077] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.077] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.077] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.077] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.077] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.077] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.077] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.077] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.077] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.077] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Microsoft Sync Framework\\spring.exe") returned 0x49 [0036.077] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.077] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.077] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.077] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.077] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.077] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.077] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.077] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.077] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.077] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.077] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\MSBuild\\marvel.exe") returned 0x3e [0036.077] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.077] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.077] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.077] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.078] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.078] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.078] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.078] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.078] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.078] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.078] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Windows Media Player\\clicks plc.exe") returned 0x49 [0036.078] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.078] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.078] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.078] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.078] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.078] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.078] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.078] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.078] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.078] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.078] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\DVD Maker\\inter-angle.exe") returned 0x3f [0036.078] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.078] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.078] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.078] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.078] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.078] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.078] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.078] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.078] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.078] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.079] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Windows Portable Devices\\admit cellular.exe") returned 0x51 [0036.079] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.079] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.079] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.079] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.079] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.079] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.079] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.079] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.079] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.079] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.079] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft Analysis Services\\contractor.exe") returned 0x56 [0036.079] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.079] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.079] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.079] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.079] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.079] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.079] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.079] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.079] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.079] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.079] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Microsoft Office\\theta.exe") returned 0x40 [0036.080] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.080] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.080] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.080] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.080] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.080] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.080] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.080] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb35a21 [0036.080] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb35a28 [0036.080] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.080] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\csrss.exe") returned 0x32 [0036.080] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.080] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.080] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.080] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.080] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.080] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.080] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.080] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.080] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.080] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.080] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\conhost.exe") returned 0x34 [0036.080] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.080] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.081] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.081] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.081] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.081] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.081] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.081] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0xb35a21 [0036.081] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0xb35a28 [0036.081] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.081] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE") returned 0x59 [0036.081] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.081] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.081] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.081] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.081] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.081] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.081] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.081] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.081] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.081] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f850 | out: lpExitCode=0x151f850*=0x103) returned 1 [0036.081] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb2ed88, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\VSSVC.exe") returned 0x32 [0036.081] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x151f838 | out: Wow64Process=0x151f838) returned 1 [0036.081] IsWow64Process (in: hProcess=0x148, Wow64Process=0x151f848 | out: Wow64Process=0x151f848) returned 1 [0036.081] NtQueryInformationProcess (in: ProcessHandle=0x148, ProcessInformationClass=0x18, ProcessInformation=0x151f844, ProcessInformationLength=0x4, ReturnLength=0x151f848 | out: ProcessInformation=0x151f844, ReturnLength=0x151f848) returned 0x0 [0036.081] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864 | out: lpCreationTime=0x151f86c, lpExitTime=0x151f864, lpKernelTime=0x151f864, lpUserTime=0x151f864) returned 1 [0036.081] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f834 | out: TokenHandle=0x151f834*=0x14c) returned 1 [0036.082] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f830 | out: TokenInformation=0x0, ReturnLength=0x151f830) returned 0 [0036.082] GetTokenInformation (in: TokenHandle=0x14c, TokenInformationClass=0x19, TokenInformation=0xb35a18, TokenInformationLength=0x14, ReturnLength=0x151f830 | out: TokenInformation=0xb35a18, ReturnLength=0x151f830) returned 1 [0036.082] GetSidSubAuthorityCount (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb35a21 [0036.082] GetSidSubAuthority (pSid=0xb35a20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb35a28 [0036.082] GetExitCodeProcess (in: hProcess=0x144, lpExitCode=0x151fbf8 | out: lpExitCode=0x151fbf8*=0x103) returned 1 [0036.082] NtOpenProcessToken (in: ProcessHandle=0x144, DesiredAccess=0xf01ff, TokenHandle=0x151fc4c | out: TokenHandle=0x151fc4c*=0x148) returned 0x0 [0036.082] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x148, dwFlags=0x0, pszPath=0xb2ed88 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming") returned 0x0 [0036.291] CryptAcquireContextW (in: phProv=0x151f94c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f94c*=0x290480) returned 1 [0036.291] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f960 | out: pbBuffer=0x151f960) returned 1 [0036.291] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.291] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.292] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.292] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.292] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.292] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.292] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.292] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.293] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.293] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.293] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.293] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.293] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.294] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.294] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.294] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.294] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.295] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.295] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.295] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.295] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.295] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.295] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.296] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.296] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.296] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.296] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.296] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.296] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.297] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.297] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.297] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.297] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.297] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.297] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.298] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.298] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.298] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.298] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.298] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.298] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.299] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.299] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.299] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.299] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.299] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.299] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.300] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.300] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.300] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.300] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.300] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.300] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.301] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.301] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.301] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.301] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.301] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.301] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.302] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.302] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.302] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.302] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.302] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.302] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.303] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.303] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.303] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.303] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.303] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.304] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.304] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.304] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.304] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.305] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.305] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.305] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.305] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.305] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.305] CryptAcquireContextW (in: phProv=0x151f948, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f948*=0x290480) returned 1 [0036.306] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f95c | out: pbBuffer=0x151f95c) returned 1 [0036.306] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.306] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\\\8DaT2hw8LGIxi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8dat2hw8lgixi"), fInfoLevelId=0x0, lpFileInformation=0x151f914 | out: lpFileInformation=0x151f914*(dwFileAttributes=0x151fc44, ftCreationTime.dwLowDateTime=0x866d29, ftCreationTime.dwHighDateTime=0xad0000, ftLastAccessTime.dwLowDateTime=0x8, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x151fcc8, ftLastWriteTime.dwHighDateTime=0x151fc44, nFileSizeHigh=0x2, nFileSizeLow=0x151fc1c)) returned 0 [0036.306] GetLastError () returned 0x2 [0036.306] CreateFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\\\8DaT2hw8LGIxi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8dat2hw8lgixi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0x15c [0036.306] SetFileTime (hFile=0x15c, lpCreationTime=0x0, lpLastAccessTime=0x151f958, lpLastWriteTime=0x151f958) returned 1 [0036.306] NtClose (Handle=0x15c) returned 0x0 [0036.306] GetShortPathNameW (in: lpszLongPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\\\8DaT2hw8LGIxi", lpszShortPath=0xb2f590, cchBuffer=0x200 | out: lpszShortPath="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\\\8DAT2H~1") returned 0x2b [0036.307] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\\\8DaT2hw8LGIxi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8dat2hw8lgixi"), fInfoLevelId=0x0, lpFileInformation=0x151f954 | out: lpFileInformation=0x151f954*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x2a06ee10, ftCreationTime.dwHighDateTime=0x1d4af0a, ftLastAccessTime.dwLowDateTime=0x2a06ee10, ftLastAccessTime.dwHighDateTime=0x1d4af0a, ftLastWriteTime.dwLowDateTime=0x2a06ee10, ftLastWriteTime.dwHighDateTime=0x1d4af0a, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0036.307] SetFileAttributesW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\\\8DaT2hw8LGIxi", dwFileAttributes=0x80) returned 1 [0036.307] DeleteFileW (lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\\\8DaT2hw8LGIxi" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\8dat2hw8lgixi")) returned 1 [0036.307] GetSystemDirectoryW (in: lpBuffer=0xb2cda0, uSize=0x40 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0036.307] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\*.exe", fInfoLevelId=0x1, lpFindFileData=0x151f9ac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f9ac) returned 0x28f398 [0036.307] CryptAcquireContextW (in: phProv=0x151f968, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x151f968*=0x290480) returned 1 [0036.308] CryptGenRandom (in: hProv=0x290480, dwLen=0x4, pbBuffer=0x151f97c | out: pbBuffer=0x151f97c) returned 1 [0036.308] CryptReleaseContext (hProv=0x290480, dwFlags=0x0) returned 1 [0036.308] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.309] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.309] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.309] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.309] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.309] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.310] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.311] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.312] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f9ac | out: lpFindFileData=0x151f9ac) returned 1 [0036.313] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\SecEdit.exe" (normalized: "c:\\windows\\system32\\secedit.exe"), fInfoLevelId=0x0, lpFileInformation=0x151f914 | out: lpFileInformation=0x151f914*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x958df3ae, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x958df3ae, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xf29f8ef0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x9000)) returned 1 [0036.314] CreateFileW (lpFileName="C:\\Windows\\system32\\SecEdit.exe" (normalized: "c:\\windows\\system32\\secedit.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0036.314] SetFileTime (hFile=0x178, lpCreationTime=0x0, lpLastAccessTime=0x151f958, lpLastWriteTime=0x151f958) returned 0 [0036.314] GetFileSize (in: hFile=0x178, lpFileSizeHigh=0x151f944 | out: lpFileSizeHigh=0x151f944*=0x0) returned 0x9000 [0036.314] SetFilePointer (in: hFile=0x178, lDistanceToMove=0, lpDistanceToMoveHigh=0x151f950*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x151f950*=0) returned 0x0 [0036.315] ReadFile (in: hFile=0x178, lpBuffer=0xae9a40, nNumberOfBytesToRead=0x9000, lpNumberOfBytesRead=0x151f984, lpOverlapped=0x0 | out: lpBuffer=0xae9a40*, lpNumberOfBytesRead=0x151f984*=0x9000, lpOverlapped=0x0) returned 1 [0036.340] GetFileAttributesExW (in: lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\\\8DAT2H~1" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\8dat2h~1"), fInfoLevelId=0x0, lpFileInformation=0x151f914 | out: lpFileInformation=0x151f914*(dwFileAttributes=0x7468, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x100f934, ftLastAccessTime.dwLowDateTime=0x77a6e003, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x151fcc8, ftLastWriteTime.dwHighDateTime=0x151fc44, nFileSizeHigh=0x2, nFileSizeLow=0x151fc1c)) returned 0 [0036.341] GetLastError () returned 0x2 [0036.341] CreateFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\\\8DAT2H~1" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\8dat2h~1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0x178 [0036.341] SetFileTime (hFile=0x178, lpCreationTime=0x0, lpLastAccessTime=0x151f958, lpLastWriteTime=0x151f958) returned 1 [0036.341] WriteFile (in: hFile=0x178, lpBuffer=0xae9a40*, nNumberOfBytesToWrite=0x9000, lpNumberOfBytesWritten=0x151f984, lpOverlapped=0x0 | out: lpBuffer=0xae9a40*, lpNumberOfBytesWritten=0x151f984*=0x9000, lpOverlapped=0x0) returned 1 [0036.342] NtClose (Handle=0x178) returned 0x0 [0036.343] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0036.343] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xb2f590, nSize=0x200 | out: lpFilename="C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe")) returned 0x44 [0036.343] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe"), fInfoLevelId=0x0, lpFileInformation=0x151f914 | out: lpFileInformation=0x151f914*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcfcedc00, ftCreationTime.dwHighDateTime=0x1ca911d, ftLastAccessTime.dwLowDateTime=0xeef4d890, ftLastAccessTime.dwHighDateTime=0x1d301be, ftLastWriteTime.dwLowDateTime=0xafbc0000, ftLastWriteTime.dwHighDateTime=0x1ca90be, nFileSizeHigh=0x0, nFileSizeLow=0x20200)) returned 1 [0036.343] CreateFileW (lpFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x15c [0036.343] SetFileTime (hFile=0x15c, lpCreationTime=0x0, lpLastAccessTime=0x151f958, lpLastWriteTime=0x151f958) returned 0 [0036.343] GetFileSize (in: hFile=0x15c, lpFileSizeHigh=0x151f944 | out: lpFileSizeHigh=0x151f944*=0x0) returned 0x20200 [0036.343] SetFilePointer (in: hFile=0x15c, lDistanceToMove=0, lpDistanceToMoveHigh=0x151f950*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x151f950*=0) returned 0x0 [0036.344] ReadFile (in: hFile=0x15c, lpBuffer=0xaf2a48, nNumberOfBytesToRead=0x20200, lpNumberOfBytesRead=0x151f984, lpOverlapped=0x0 | out: lpBuffer=0xaf2a48*, lpNumberOfBytesRead=0x151f984*=0x20200, lpOverlapped=0x0) returned 1 [0036.346] GetFileAttributesExW (in: lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\\\8DAT2H~1:bin" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\8dat2h~1:bin"), fInfoLevelId=0x0, lpFileInformation=0x151f914 | out: lpFileInformation=0x151f914*(dwFileAttributes=0x151fc44, ftCreationTime.dwLowDateTime=0x866d29, ftCreationTime.dwHighDateTime=0xad0000, ftLastAccessTime.dwLowDateTime=0x8, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x151fcc8, ftLastWriteTime.dwHighDateTime=0x151fc44, nFileSizeHigh=0x2, nFileSizeLow=0x151fc1c)) returned 0 [0036.346] GetLastError () returned 0x2 [0036.346] CreateFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\\\8DAT2H~1:bin" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\8dat2h~1:bin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x2, hTemplateFile=0x0) returned 0x15c [0036.347] SetFileTime (hFile=0x15c, lpCreationTime=0x0, lpLastAccessTime=0x151f958, lpLastWriteTime=0x151f958) returned 1 [0036.347] WriteFile (in: hFile=0x15c, lpBuffer=0xaf2a48*, nNumberOfBytesToWrite=0x20200, lpNumberOfBytesWritten=0x151f984, lpOverlapped=0x0 | out: lpBuffer=0xaf2a48*, lpNumberOfBytesWritten=0x151f984*=0x20200, lpOverlapped=0x0) returned 1 [0036.349] NtClose (Handle=0x15c) returned 0x0 [0036.350] CreateProcessAsUserW (in: hToken=0x148, lpApplicationName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\\\8DAT2H~1:bin", lpCommandLine="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\\\8DAT2H~1:bin", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x151fc60*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x151fcb8 | out: lpCommandLine="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\\\8DAT2H~1:bin", lpProcessInformation=0x151fcb8*(hProcess=0x178, hThread=0x15c, dwProcessId=0x9cc, dwThreadId=0x9d0)) returned 1 [0036.404] NtClose (Handle=0x15c) returned 0x0 [0036.404] NtClose (Handle=0x148) returned 0x0 [0036.404] GetLogicalDrives () returned 0x4 [0036.404] GetDriveTypeW (lpRootPathName="C:") returned 0x3 [0036.405] FindFirstFileExW (in: lpFileName="C:\\*", fInfoLevelId=0x1, lpFindFileData=0x151fa44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151fa44) returned 0x28f398 [0036.405] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0036.405] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0036.405] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0036.405] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0036.405] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0036.405] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0036.405] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0036.405] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0036.405] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0036.405] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0036.406] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0036.406] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0036.406] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0036.406] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0036.406] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0036.406] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0036.406] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 0 [0036.406] GetLastError () returned 0x12 [0036.406] GetFileAttributesExW (in: lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), fInfoLevelId=0x0, lpFileInformation=0x151f8f8 | out: lpFileInformation=0x151f8f8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a)) returned 1 [0036.406] GetFileAttributesExW (in: lpFileName="C:\\bootmgr" (normalized: "c:\\bootmgr"), fInfoLevelId=0x0, lpFileInformation=0x151f8f8 | out: lpFileInformation=0x151f8f8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac0f9880, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac0f9880, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0x84a3bb2c, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x5db2a)) returned 1 [0036.406] GetFileAttributesExW (in: lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), fInfoLevelId=0x0, lpFileInformation=0x151f8f8 | out: lpFileInformation=0x151f8f8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0036.407] GetFileAttributesExW (in: lpFileName="C:\\BOOTSECT.BAK" (normalized: "c:\\bootsect.bak"), fInfoLevelId=0x0, lpFileInformation=0x151f8f8 | out: lpFileInformation=0x151f8f8*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xac54a060, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac54a060, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac54a060, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0036.407] GetFileAttributesExW (in: lpFileName="C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), fInfoLevelId=0x0, lpFileInformation=0x151f8f8 | out: lpFileInformation=0x151f8f8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x151f9e4, ftLastAccessTime.dwLowDateTime=0x86780f, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x151f9e4, ftLastWriteTime.dwHighDateTime=0x86a152, nFileSizeHigh=0x0, nFileSizeLow=0x1cf748)) returned 0 [0036.407] GetLastError () returned 0x20 [0036.407] GetFileAttributesExW (in: lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), fInfoLevelId=0x0, lpFileInformation=0x151f8f8 | out: lpFileInformation=0x151f8f8*(dwFileAttributes=0x3, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x151f9e4, ftLastAccessTime.dwLowDateTime=0x86780f, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x151f9e4, ftLastWriteTime.dwHighDateTime=0x86a152, nFileSizeHigh=0x0, nFileSizeLow=0x1cf748)) returned 0 [0036.407] GetLastError () returned 0x20 [0036.407] FindFirstFileExW (in: lpFileName="C:\\*", fInfoLevelId=0x1, lpFindFileData=0x151fa44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151fa44) returned 0x290480 [0036.407] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0036.407] GetFileAttributesExW (in: lpFileName="C:\\$Recycle.Bin" (normalized: "c:\\$recycle.bin"), fInfoLevelId=0x0, lpFileInformation=0x151f978 | out: lpFileInformation=0x151f978*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xd29f5adc, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0036.408] CreateFileW (lpFileName="C:\\$Recycle.Bin" (normalized: "c:\\$recycle.bin"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x148 [0036.408] SetFileTime (hFile=0x148, lpCreationTime=0x0, lpLastAccessTime=0x151f9bc, lpLastWriteTime=0x151f9bc) returned 0 [0036.408] DeviceIoControl (in: hDevice=0x148, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xb2f590, nOutBufferSize=0x4000, lpBytesReturned=0x151fa14, lpOverlapped=0x0 | out: lpOutBuffer=0xb2f590, lpBytesReturned=0x151fa14, lpOverlapped=0x0) returned 0 [0036.408] FindFirstFileExW (in: lpFileName="C:\\$Recycle.Bin\\*", fInfoLevelId=0x1, lpFindFileData=0x151f784, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f784) returned 0x28f398 [0036.408] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.408] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.408] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 0 [0036.408] GetLastError () returned 0x12 [0036.408] FindFirstFileExW (in: lpFileName="C:\\$Recycle.Bin\\*", fInfoLevelId=0x1, lpFindFileData=0x151f784, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f784) returned 0x2904c0 [0036.408] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0036.408] FindNextFileW (in: hFindFile=0x2904c0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.408] FindNextFileW (in: hFindFile=0x2904c0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.408] GetFileAttributesExW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000"), fInfoLevelId=0x0, lpFileInformation=0x151f6b8 | out: lpFileInformation=0x151f6b8*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0xb63e4b00, ftLastAccessTime.dwHighDateTime=0x1d337f4, ftLastWriteTime.dwLowDateTime=0xb63e4b00, ftLastWriteTime.dwHighDateTime=0x1d337f4, nFileSizeHigh=0x0, nFileSizeLow=0xa000)) returned 1 [0036.408] CreateFileW (lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x148 [0036.408] SetFileTime (hFile=0x148, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0036.409] DeviceIoControl (in: hDevice=0x148, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xb2fd98, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xb2fd98, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0036.409] FindFirstFileExW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0036.409] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0036.410] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0036.410] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0036.410] GetLastError () returned 0x12 [0036.410] GetFileAttributesExW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x151f378 | out: lpFileInformation=0x151f378*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81)) returned 1 [0036.410] GetFileAttributesExW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini" (normalized: "c:\\$recycle.bin\\s-1-5-21-3388679973-3930757225-3770151564-1000\\desktop.ini"), fInfoLevelId=0x0, lpFileInformation=0x151f378 | out: lpFileInformation=0x151f378*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2dfdd420, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2dfdd420, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2dfdd420, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x81)) returned 1 [0036.410] FindFirstFileExW (in: lpFileName="C:\\$Recycle.Bin\\S-1-5-21-3388679973-3930757225-3770151564-1000\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290500 [0036.410] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0036.410] FindNextFileW (in: hFindFile=0x290500, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0036.410] FindNextFileW (in: hFindFile=0x290500, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0036.410] FindNextFileW (in: hFindFile=0x290500, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0036.410] GetLastError () returned 0x12 [0036.410] FindClose (in: hFindFile=0x290500 | out: hFindFile=0x290500) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x2904c0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 0 [0036.411] GetLastError () returned 0x12 [0036.411] FindClose (in: hFindFile=0x2904c0 | out: hFindFile=0x2904c0) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x290480, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0036.411] GetFileAttributesExW (in: lpFileName="C:\\Boot" (normalized: "c:\\boot"), fInfoLevelId=0x0, lpFileInformation=0x151f978 | out: lpFileInformation=0x151f978*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xac015040, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xac30ebc0, ftLastAccessTime.dwHighDateTime=0x1d2de32, ftLastWriteTime.dwLowDateTime=0xac30ebc0, ftLastWriteTime.dwHighDateTime=0x1d2de32, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0036.411] CreateFileW (lpFileName="C:\\Boot" (normalized: "c:\\boot"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0036.411] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f9bc, lpLastWriteTime=0x151f9bc) returned 0 [0036.411] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xb2f590, nOutBufferSize=0x4000, lpBytesReturned=0x151fa14, lpOverlapped=0x0 | out: lpOutBuffer=0xb2f590, lpBytesReturned=0x151fa14, lpOverlapped=0x0) returned 0 [0036.411] FindFirstFileExW (in: lpFileName="C:\\Boot\\*", fInfoLevelId=0x1, lpFindFileData=0x151f784, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f784) returned 0x28f398 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.411] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.412] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.412] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.412] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.412] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.412] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.412] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.412] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.412] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.412] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.412] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.412] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.412] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0036.412] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 0 [0036.412] GetLastError () returned 0x12 [0036.412] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), fInfoLevelId=0x0, lpFileInformation=0x151f638 | out: lpFileInformation=0x151f638*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xe3dcbd50, ftLastAccessTime.dwHighDateTime=0x1d4ae89, ftLastWriteTime.dwLowDateTime=0xe3dcbd50, ftLastWriteTime.dwHighDateTime=0x1d4ae89, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0036.412] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), fInfoLevelId=0x0, lpFileInformation=0x151f638 | out: lpFileInformation=0x151f638*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xe3dcbd50, ftLastAccessTime.dwHighDateTime=0x1d4ae89, ftLastWriteTime.dwLowDateTime=0xe3dcbd50, ftLastWriteTime.dwHighDateTime=0x1d4ae89, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0036.412] GetFileAttributesExW (in: lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), fInfoLevelId=0x0, lpFileInformation=0x151f5f0 | out: lpFileInformation=0x151f5f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac2e8a60, ftCreationTime.dwHighDateTime=0x1d2de32, ftLastAccessTime.dwLowDateTime=0xe3dcbd50, ftLastAccessTime.dwHighDateTime=0x1d4ae89, ftLastWriteTime.dwLowDateTime=0xe3dcbd50, ftLastWriteTime.dwHighDateTime=0x1d4ae89, nFileSizeHigh=0x0, nFileSizeLow=0x6000)) returned 1 [0036.412] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0036.412] GetLastError () returned 0x20 [0036.412] GetCurrentProcessId () returned 0x97c [0036.418] GetExitCodeProcess (in: hProcess=0x17c, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0036.418] ResetEvent (hEvent=0x108) returned 1 [0036.418] SetEvent (hEvent=0x104) returned 1 [0036.418] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x102 [0036.933] TerminateThread (hThread=0x77ab1ecd, dwExitCode=0x0) returned 0 [0036.933] NtClose (Handle=0x77ab1ecd) returned 0xc0000008 [0036.933] ResetEvent (hEvent=0x104) returned 1 [0036.933] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x86246c, lpParameter=0x1cf7d8, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x184 [0036.934] ResetEvent (hEvent=0x108) returned 1 [0036.934] SetEvent (hEvent=0x104) returned 1 [0036.934] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.007] ResetEvent (hEvent=0x108) returned 1 [0037.007] SetEvent (hEvent=0x104) returned 1 [0037.007] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.008] ResetEvent (hEvent=0x108) returned 1 [0037.008] SetEvent (hEvent=0x104) returned 1 [0037.008] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.008] ResetEvent (hEvent=0x108) returned 1 [0037.008] SetEvent (hEvent=0x104) returned 1 [0037.008] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.008] ResetEvent (hEvent=0x108) returned 1 [0037.008] SetEvent (hEvent=0x104) returned 1 [0037.008] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.009] ResetEvent (hEvent=0x108) returned 1 [0037.009] SetEvent (hEvent=0x104) returned 1 [0037.009] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.009] ResetEvent (hEvent=0x108) returned 1 [0037.009] SetEvent (hEvent=0x104) returned 1 [0037.009] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.009] ResetEvent (hEvent=0x108) returned 1 [0037.009] SetEvent (hEvent=0x104) returned 1 [0037.010] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.010] ResetEvent (hEvent=0x108) returned 1 [0037.010] SetEvent (hEvent=0x104) returned 1 [0037.010] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.010] ResetEvent (hEvent=0x108) returned 1 [0037.010] SetEvent (hEvent=0x104) returned 1 [0037.010] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.011] ResetEvent (hEvent=0x108) returned 1 [0037.011] SetEvent (hEvent=0x104) returned 1 [0037.011] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.011] ResetEvent (hEvent=0x108) returned 1 [0037.011] SetEvent (hEvent=0x104) returned 1 [0037.011] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.012] ResetEvent (hEvent=0x108) returned 1 [0037.012] SetEvent (hEvent=0x104) returned 1 [0037.012] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.012] ResetEvent (hEvent=0x108) returned 1 [0037.012] SetEvent (hEvent=0x104) returned 1 [0037.012] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.013] ResetEvent (hEvent=0x108) returned 1 [0037.013] SetEvent (hEvent=0x104) returned 1 [0037.013] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.013] ResetEvent (hEvent=0x108) returned 1 [0037.013] SetEvent (hEvent=0x104) returned 1 [0037.013] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.018] ResetEvent (hEvent=0x108) returned 1 [0037.018] SetEvent (hEvent=0x104) returned 1 [0037.018] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.019] ResetEvent (hEvent=0x108) returned 1 [0037.019] SetEvent (hEvent=0x104) returned 1 [0037.019] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.019] ResetEvent (hEvent=0x108) returned 1 [0037.019] SetEvent (hEvent=0x104) returned 1 [0037.019] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.020] ResetEvent (hEvent=0x108) returned 1 [0037.020] SetEvent (hEvent=0x104) returned 1 [0037.020] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.020] ResetEvent (hEvent=0x108) returned 1 [0037.020] SetEvent (hEvent=0x104) returned 1 [0037.020] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.020] ResetEvent (hEvent=0x108) returned 1 [0037.020] SetEvent (hEvent=0x104) returned 1 [0037.020] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.020] ResetEvent (hEvent=0x108) returned 1 [0037.021] SetEvent (hEvent=0x104) returned 1 [0037.021] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.021] ResetEvent (hEvent=0x108) returned 1 [0037.021] SetEvent (hEvent=0x104) returned 1 [0037.021] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.021] ResetEvent (hEvent=0x108) returned 1 [0037.021] SetEvent (hEvent=0x104) returned 1 [0037.021] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.021] ResetEvent (hEvent=0x108) returned 1 [0037.021] SetEvent (hEvent=0x104) returned 1 [0037.022] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.022] GetExitCodeProcess (in: hProcess=0x148, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.022] NtDuplicateObject (in: SourceProcessHandle=0x148, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.022] NtDuplicateObject (in: SourceProcessHandle=0x148, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x188) returned 0x0 [0037.022] ResetEvent (hEvent=0x108) returned 1 [0037.022] SetEvent (hEvent=0x104) returned 1 [0037.022] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.022] ResetEvent (hEvent=0x108) returned 1 [0037.022] SetEvent (hEvent=0x104) returned 1 [0037.022] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.023] ResetEvent (hEvent=0x108) returned 1 [0037.023] SetEvent (hEvent=0x104) returned 1 [0037.023] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.023] ResetEvent (hEvent=0x108) returned 1 [0037.023] SetEvent (hEvent=0x104) returned 1 [0037.023] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.023] ResetEvent (hEvent=0x108) returned 1 [0037.023] SetEvent (hEvent=0x104) returned 1 [0037.023] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.024] ResetEvent (hEvent=0x108) returned 1 [0037.024] SetEvent (hEvent=0x104) returned 1 [0037.024] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.024] ResetEvent (hEvent=0x108) returned 1 [0037.024] SetEvent (hEvent=0x104) returned 1 [0037.024] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.024] ResetEvent (hEvent=0x108) returned 1 [0037.024] SetEvent (hEvent=0x104) returned 1 [0037.024] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.025] ResetEvent (hEvent=0x108) returned 1 [0037.025] SetEvent (hEvent=0x104) returned 1 [0037.025] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.025] ResetEvent (hEvent=0x108) returned 1 [0037.025] SetEvent (hEvent=0x104) returned 1 [0037.025] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.025] ResetEvent (hEvent=0x108) returned 1 [0037.025] SetEvent (hEvent=0x104) returned 1 [0037.025] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.026] ResetEvent (hEvent=0x108) returned 1 [0037.026] SetEvent (hEvent=0x104) returned 1 [0037.026] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.026] ResetEvent (hEvent=0x108) returned 1 [0037.026] SetEvent (hEvent=0x104) returned 1 [0037.026] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.027] ResetEvent (hEvent=0x108) returned 1 [0037.027] SetEvent (hEvent=0x104) returned 1 [0037.027] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.027] ResetEvent (hEvent=0x108) returned 1 [0037.027] SetEvent (hEvent=0x104) returned 1 [0037.027] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.027] ResetEvent (hEvent=0x108) returned 1 [0037.028] SetEvent (hEvent=0x104) returned 1 [0037.028] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.028] ResetEvent (hEvent=0x108) returned 1 [0037.028] SetEvent (hEvent=0x104) returned 1 [0037.028] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.028] ResetEvent (hEvent=0x108) returned 1 [0037.028] SetEvent (hEvent=0x104) returned 1 [0037.028] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.028] ResetEvent (hEvent=0x108) returned 1 [0037.028] SetEvent (hEvent=0x104) returned 1 [0037.029] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.029] ResetEvent (hEvent=0x108) returned 1 [0037.029] SetEvent (hEvent=0x104) returned 1 [0037.029] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.029] ResetEvent (hEvent=0x108) returned 1 [0037.029] SetEvent (hEvent=0x104) returned 1 [0037.029] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.029] ResetEvent (hEvent=0x108) returned 1 [0037.029] SetEvent (hEvent=0x104) returned 1 [0037.030] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.030] ResetEvent (hEvent=0x108) returned 1 [0037.030] SetEvent (hEvent=0x104) returned 1 [0037.030] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.030] ResetEvent (hEvent=0x108) returned 1 [0037.030] SetEvent (hEvent=0x104) returned 1 [0037.030] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.030] ResetEvent (hEvent=0x108) returned 1 [0037.030] SetEvent (hEvent=0x104) returned 1 [0037.031] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.031] ResetEvent (hEvent=0x108) returned 1 [0037.031] SetEvent (hEvent=0x104) returned 1 [0037.031] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.031] ResetEvent (hEvent=0x108) returned 1 [0037.031] SetEvent (hEvent=0x104) returned 1 [0037.031] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.031] ResetEvent (hEvent=0x108) returned 1 [0037.031] SetEvent (hEvent=0x104) returned 1 [0037.032] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.032] ResetEvent (hEvent=0x108) returned 1 [0037.032] SetEvent (hEvent=0x104) returned 1 [0037.032] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.032] ResetEvent (hEvent=0x108) returned 1 [0037.032] SetEvent (hEvent=0x104) returned 1 [0037.032] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.032] ResetEvent (hEvent=0x108) returned 1 [0037.032] SetEvent (hEvent=0x104) returned 1 [0037.032] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.033] ResetEvent (hEvent=0x108) returned 1 [0037.033] SetEvent (hEvent=0x104) returned 1 [0037.033] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.033] ResetEvent (hEvent=0x108) returned 1 [0037.033] SetEvent (hEvent=0x104) returned 1 [0037.033] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.033] ResetEvent (hEvent=0x108) returned 1 [0037.033] SetEvent (hEvent=0x104) returned 1 [0037.033] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.034] ResetEvent (hEvent=0x108) returned 1 [0037.034] SetEvent (hEvent=0x104) returned 1 [0037.034] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.034] ResetEvent (hEvent=0x108) returned 1 [0037.034] SetEvent (hEvent=0x104) returned 1 [0037.034] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.034] ResetEvent (hEvent=0x108) returned 1 [0037.034] SetEvent (hEvent=0x104) returned 1 [0037.034] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.035] ResetEvent (hEvent=0x108) returned 1 [0037.035] SetEvent (hEvent=0x104) returned 1 [0037.035] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.035] ResetEvent (hEvent=0x108) returned 1 [0037.035] SetEvent (hEvent=0x104) returned 1 [0037.035] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.035] ResetEvent (hEvent=0x108) returned 1 [0037.035] SetEvent (hEvent=0x104) returned 1 [0037.036] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.036] ResetEvent (hEvent=0x108) returned 1 [0037.036] SetEvent (hEvent=0x104) returned 1 [0037.036] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.036] ResetEvent (hEvent=0x108) returned 1 [0037.036] SetEvent (hEvent=0x104) returned 1 [0037.036] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.036] ResetEvent (hEvent=0x108) returned 1 [0037.036] SetEvent (hEvent=0x104) returned 1 [0037.037] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.037] ResetEvent (hEvent=0x108) returned 1 [0037.037] SetEvent (hEvent=0x104) returned 1 [0037.037] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.037] ResetEvent (hEvent=0x108) returned 1 [0037.037] SetEvent (hEvent=0x104) returned 1 [0037.037] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.038] ResetEvent (hEvent=0x108) returned 1 [0037.038] SetEvent (hEvent=0x104) returned 1 [0037.038] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.038] ResetEvent (hEvent=0x108) returned 1 [0037.038] SetEvent (hEvent=0x104) returned 1 [0037.038] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.039] ResetEvent (hEvent=0x108) returned 1 [0037.039] SetEvent (hEvent=0x104) returned 1 [0037.039] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.039] ResetEvent (hEvent=0x108) returned 1 [0037.039] SetEvent (hEvent=0x104) returned 1 [0037.039] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.040] ResetEvent (hEvent=0x108) returned 1 [0037.040] SetEvent (hEvent=0x104) returned 1 [0037.040] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.040] ResetEvent (hEvent=0x108) returned 1 [0037.040] SetEvent (hEvent=0x104) returned 1 [0037.040] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.040] ResetEvent (hEvent=0x108) returned 1 [0037.040] SetEvent (hEvent=0x104) returned 1 [0037.040] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.041] ResetEvent (hEvent=0x108) returned 1 [0037.041] SetEvent (hEvent=0x104) returned 1 [0037.041] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.041] ResetEvent (hEvent=0x108) returned 1 [0037.041] SetEvent (hEvent=0x104) returned 1 [0037.041] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.041] ResetEvent (hEvent=0x108) returned 1 [0037.041] SetEvent (hEvent=0x104) returned 1 [0037.041] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.042] ResetEvent (hEvent=0x108) returned 1 [0037.042] SetEvent (hEvent=0x104) returned 1 [0037.042] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.043] ResetEvent (hEvent=0x108) returned 1 [0037.043] SetEvent (hEvent=0x104) returned 1 [0037.043] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.043] ResetEvent (hEvent=0x108) returned 1 [0037.043] SetEvent (hEvent=0x104) returned 1 [0037.043] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.043] ResetEvent (hEvent=0x108) returned 1 [0037.043] SetEvent (hEvent=0x104) returned 1 [0037.043] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.044] ResetEvent (hEvent=0x108) returned 1 [0037.044] SetEvent (hEvent=0x104) returned 1 [0037.044] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.044] ResetEvent (hEvent=0x108) returned 1 [0037.044] SetEvent (hEvent=0x104) returned 1 [0037.044] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.044] ResetEvent (hEvent=0x108) returned 1 [0037.044] SetEvent (hEvent=0x104) returned 1 [0037.044] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.044] ResetEvent (hEvent=0x108) returned 1 [0037.045] SetEvent (hEvent=0x104) returned 1 [0037.045] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.045] ResetEvent (hEvent=0x108) returned 1 [0037.045] SetEvent (hEvent=0x104) returned 1 [0037.045] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.045] ResetEvent (hEvent=0x108) returned 1 [0037.045] SetEvent (hEvent=0x104) returned 1 [0037.045] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.045] ResetEvent (hEvent=0x108) returned 1 [0037.045] SetEvent (hEvent=0x104) returned 1 [0037.046] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.046] ResetEvent (hEvent=0x108) returned 1 [0037.046] SetEvent (hEvent=0x104) returned 1 [0037.046] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.046] ResetEvent (hEvent=0x108) returned 1 [0037.046] SetEvent (hEvent=0x104) returned 1 [0037.046] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.047] ResetEvent (hEvent=0x108) returned 1 [0037.047] SetEvent (hEvent=0x104) returned 1 [0037.047] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.047] ResetEvent (hEvent=0x108) returned 1 [0037.047] SetEvent (hEvent=0x104) returned 1 [0037.047] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.047] ResetEvent (hEvent=0x108) returned 1 [0037.047] SetEvent (hEvent=0x104) returned 1 [0037.047] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.048] ResetEvent (hEvent=0x108) returned 1 [0037.048] SetEvent (hEvent=0x104) returned 1 [0037.048] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.048] ResetEvent (hEvent=0x108) returned 1 [0037.048] SetEvent (hEvent=0x104) returned 1 [0037.048] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.048] ResetEvent (hEvent=0x108) returned 1 [0037.048] SetEvent (hEvent=0x104) returned 1 [0037.048] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.049] ResetEvent (hEvent=0x108) returned 1 [0037.049] SetEvent (hEvent=0x104) returned 1 [0037.049] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.049] ResetEvent (hEvent=0x108) returned 1 [0037.049] SetEvent (hEvent=0x104) returned 1 [0037.049] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.050] ResetEvent (hEvent=0x108) returned 1 [0037.050] SetEvent (hEvent=0x104) returned 1 [0037.050] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.050] ResetEvent (hEvent=0x108) returned 1 [0037.050] SetEvent (hEvent=0x104) returned 1 [0037.050] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.050] ResetEvent (hEvent=0x108) returned 1 [0037.050] SetEvent (hEvent=0x104) returned 1 [0037.050] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.051] ResetEvent (hEvent=0x108) returned 1 [0037.051] SetEvent (hEvent=0x104) returned 1 [0037.051] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.051] ResetEvent (hEvent=0x108) returned 1 [0037.051] SetEvent (hEvent=0x104) returned 1 [0037.051] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.051] ResetEvent (hEvent=0x108) returned 1 [0037.051] SetEvent (hEvent=0x104) returned 1 [0037.051] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.052] ResetEvent (hEvent=0x108) returned 1 [0037.052] SetEvent (hEvent=0x104) returned 1 [0037.052] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.052] ResetEvent (hEvent=0x108) returned 1 [0037.052] SetEvent (hEvent=0x104) returned 1 [0037.052] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.055] ResetEvent (hEvent=0x108) returned 1 [0037.055] SetEvent (hEvent=0x104) returned 1 [0037.055] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.055] ResetEvent (hEvent=0x108) returned 1 [0037.055] SetEvent (hEvent=0x104) returned 1 [0037.055] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.055] ResetEvent (hEvent=0x108) returned 1 [0037.055] SetEvent (hEvent=0x104) returned 1 [0037.055] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.056] ResetEvent (hEvent=0x108) returned 1 [0037.056] SetEvent (hEvent=0x104) returned 1 [0037.056] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.056] ResetEvent (hEvent=0x108) returned 1 [0037.056] SetEvent (hEvent=0x104) returned 1 [0037.056] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.056] ResetEvent (hEvent=0x108) returned 1 [0037.056] SetEvent (hEvent=0x104) returned 1 [0037.056] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.057] ResetEvent (hEvent=0x108) returned 1 [0037.057] SetEvent (hEvent=0x104) returned 1 [0037.057] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.057] ResetEvent (hEvent=0x108) returned 1 [0037.057] SetEvent (hEvent=0x104) returned 1 [0037.057] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.057] ResetEvent (hEvent=0x108) returned 1 [0037.057] SetEvent (hEvent=0x104) returned 1 [0037.057] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.058] ResetEvent (hEvent=0x108) returned 1 [0037.058] SetEvent (hEvent=0x104) returned 1 [0037.058] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.058] ResetEvent (hEvent=0x108) returned 1 [0037.058] SetEvent (hEvent=0x104) returned 1 [0037.058] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.058] ResetEvent (hEvent=0x108) returned 1 [0037.058] SetEvent (hEvent=0x104) returned 1 [0037.059] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.059] ResetEvent (hEvent=0x108) returned 1 [0037.059] SetEvent (hEvent=0x104) returned 1 [0037.059] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.059] ResetEvent (hEvent=0x108) returned 1 [0037.059] SetEvent (hEvent=0x104) returned 1 [0037.059] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.059] ResetEvent (hEvent=0x108) returned 1 [0037.059] SetEvent (hEvent=0x104) returned 1 [0037.060] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.060] ResetEvent (hEvent=0x108) returned 1 [0037.060] SetEvent (hEvent=0x104) returned 1 [0037.060] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.060] ResetEvent (hEvent=0x108) returned 1 [0037.060] SetEvent (hEvent=0x104) returned 1 [0037.060] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.060] ResetEvent (hEvent=0x108) returned 1 [0037.060] SetEvent (hEvent=0x104) returned 1 [0037.060] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.061] ResetEvent (hEvent=0x108) returned 1 [0037.061] SetEvent (hEvent=0x104) returned 1 [0037.061] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.061] ResetEvent (hEvent=0x108) returned 1 [0037.061] SetEvent (hEvent=0x104) returned 1 [0037.061] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.061] ResetEvent (hEvent=0x108) returned 1 [0037.061] SetEvent (hEvent=0x104) returned 1 [0037.061] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.062] ResetEvent (hEvent=0x108) returned 1 [0037.062] SetEvent (hEvent=0x104) returned 1 [0037.062] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.062] ResetEvent (hEvent=0x108) returned 1 [0037.062] SetEvent (hEvent=0x104) returned 1 [0037.062] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.062] ResetEvent (hEvent=0x108) returned 1 [0037.062] SetEvent (hEvent=0x104) returned 1 [0037.062] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.063] ResetEvent (hEvent=0x108) returned 1 [0037.063] SetEvent (hEvent=0x104) returned 1 [0037.063] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.063] ResetEvent (hEvent=0x108) returned 1 [0037.063] SetEvent (hEvent=0x104) returned 1 [0037.063] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.063] ResetEvent (hEvent=0x108) returned 1 [0037.063] SetEvent (hEvent=0x104) returned 1 [0037.063] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.064] ResetEvent (hEvent=0x108) returned 1 [0037.064] SetEvent (hEvent=0x104) returned 1 [0037.064] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.064] ResetEvent (hEvent=0x108) returned 1 [0037.064] SetEvent (hEvent=0x104) returned 1 [0037.064] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.064] ResetEvent (hEvent=0x108) returned 1 [0037.064] SetEvent (hEvent=0x104) returned 1 [0037.064] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.065] ResetEvent (hEvent=0x108) returned 1 [0037.065] SetEvent (hEvent=0x104) returned 1 [0037.065] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.065] ResetEvent (hEvent=0x108) returned 1 [0037.065] SetEvent (hEvent=0x104) returned 1 [0037.065] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.065] ResetEvent (hEvent=0x108) returned 1 [0037.065] SetEvent (hEvent=0x104) returned 1 [0037.065] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.066] ResetEvent (hEvent=0x108) returned 1 [0037.066] SetEvent (hEvent=0x104) returned 1 [0037.066] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.066] ResetEvent (hEvent=0x108) returned 1 [0037.066] SetEvent (hEvent=0x104) returned 1 [0037.066] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.066] ResetEvent (hEvent=0x108) returned 1 [0037.066] SetEvent (hEvent=0x104) returned 1 [0037.066] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.067] ResetEvent (hEvent=0x108) returned 1 [0037.067] SetEvent (hEvent=0x104) returned 1 [0037.067] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.067] ResetEvent (hEvent=0x108) returned 1 [0037.067] SetEvent (hEvent=0x104) returned 1 [0037.067] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.067] ResetEvent (hEvent=0x108) returned 1 [0037.067] SetEvent (hEvent=0x104) returned 1 [0037.067] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.123] ResetEvent (hEvent=0x108) returned 1 [0037.123] SetEvent (hEvent=0x104) returned 1 [0037.123] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.123] ResetEvent (hEvent=0x108) returned 1 [0037.123] SetEvent (hEvent=0x104) returned 1 [0037.123] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.123] ResetEvent (hEvent=0x108) returned 1 [0037.123] SetEvent (hEvent=0x104) returned 1 [0037.123] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.124] ResetEvent (hEvent=0x108) returned 1 [0037.124] SetEvent (hEvent=0x104) returned 1 [0037.124] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.124] ResetEvent (hEvent=0x108) returned 1 [0037.124] SetEvent (hEvent=0x104) returned 1 [0037.124] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.124] ResetEvent (hEvent=0x108) returned 1 [0037.124] SetEvent (hEvent=0x104) returned 1 [0037.124] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.125] ResetEvent (hEvent=0x108) returned 1 [0037.125] SetEvent (hEvent=0x104) returned 1 [0037.125] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.125] ResetEvent (hEvent=0x108) returned 1 [0037.125] SetEvent (hEvent=0x104) returned 1 [0037.125] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.125] ResetEvent (hEvent=0x108) returned 1 [0037.125] SetEvent (hEvent=0x104) returned 1 [0037.126] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.126] ResetEvent (hEvent=0x108) returned 1 [0037.126] SetEvent (hEvent=0x104) returned 1 [0037.126] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.126] ResetEvent (hEvent=0x108) returned 1 [0037.126] SetEvent (hEvent=0x104) returned 1 [0037.126] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.127] ResetEvent (hEvent=0x108) returned 1 [0037.127] SetEvent (hEvent=0x104) returned 1 [0037.127] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.127] ResetEvent (hEvent=0x108) returned 1 [0037.127] SetEvent (hEvent=0x104) returned 1 [0037.127] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.128] ResetEvent (hEvent=0x108) returned 1 [0037.128] SetEvent (hEvent=0x104) returned 1 [0037.128] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.128] ResetEvent (hEvent=0x108) returned 1 [0037.128] SetEvent (hEvent=0x104) returned 1 [0037.128] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.128] ResetEvent (hEvent=0x108) returned 1 [0037.128] SetEvent (hEvent=0x104) returned 1 [0037.128] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.129] ResetEvent (hEvent=0x108) returned 1 [0037.129] SetEvent (hEvent=0x104) returned 1 [0037.129] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.129] ResetEvent (hEvent=0x108) returned 1 [0037.129] SetEvent (hEvent=0x104) returned 1 [0037.129] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.129] ResetEvent (hEvent=0x108) returned 1 [0037.129] SetEvent (hEvent=0x104) returned 1 [0037.129] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.130] ResetEvent (hEvent=0x108) returned 1 [0037.130] SetEvent (hEvent=0x104) returned 1 [0037.130] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.130] ResetEvent (hEvent=0x108) returned 1 [0037.130] SetEvent (hEvent=0x104) returned 1 [0037.130] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.131] ResetEvent (hEvent=0x108) returned 1 [0037.131] SetEvent (hEvent=0x104) returned 1 [0037.131] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.131] ResetEvent (hEvent=0x108) returned 1 [0037.131] SetEvent (hEvent=0x104) returned 1 [0037.131] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.132] ResetEvent (hEvent=0x108) returned 1 [0037.132] SetEvent (hEvent=0x104) returned 1 [0037.132] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.132] ResetEvent (hEvent=0x108) returned 1 [0037.132] SetEvent (hEvent=0x104) returned 1 [0037.132] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.132] ResetEvent (hEvent=0x108) returned 1 [0037.132] SetEvent (hEvent=0x104) returned 1 [0037.132] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.133] ResetEvent (hEvent=0x108) returned 1 [0037.133] SetEvent (hEvent=0x104) returned 1 [0037.133] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.133] ResetEvent (hEvent=0x108) returned 1 [0037.133] SetEvent (hEvent=0x104) returned 1 [0037.133] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.133] ResetEvent (hEvent=0x108) returned 1 [0037.133] SetEvent (hEvent=0x104) returned 1 [0037.133] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.134] ResetEvent (hEvent=0x108) returned 1 [0037.134] SetEvent (hEvent=0x104) returned 1 [0037.134] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.134] ResetEvent (hEvent=0x108) returned 1 [0037.134] SetEvent (hEvent=0x104) returned 1 [0037.134] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.134] ResetEvent (hEvent=0x108) returned 1 [0037.134] SetEvent (hEvent=0x104) returned 1 [0037.134] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.135] ResetEvent (hEvent=0x108) returned 1 [0037.135] SetEvent (hEvent=0x104) returned 1 [0037.135] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.135] ResetEvent (hEvent=0x108) returned 1 [0037.135] SetEvent (hEvent=0x104) returned 1 [0037.135] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.136] ResetEvent (hEvent=0x108) returned 1 [0037.136] SetEvent (hEvent=0x104) returned 1 [0037.136] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.136] ResetEvent (hEvent=0x108) returned 1 [0037.136] SetEvent (hEvent=0x104) returned 1 [0037.136] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.136] ResetEvent (hEvent=0x108) returned 1 [0037.136] SetEvent (hEvent=0x104) returned 1 [0037.136] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.137] ResetEvent (hEvent=0x108) returned 1 [0037.137] SetEvent (hEvent=0x104) returned 1 [0037.137] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.137] ResetEvent (hEvent=0x108) returned 1 [0037.137] SetEvent (hEvent=0x104) returned 1 [0037.137] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.137] ResetEvent (hEvent=0x108) returned 1 [0037.137] SetEvent (hEvent=0x104) returned 1 [0037.137] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.138] ResetEvent (hEvent=0x108) returned 1 [0037.138] SetEvent (hEvent=0x104) returned 1 [0037.138] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.138] ResetEvent (hEvent=0x108) returned 1 [0037.138] SetEvent (hEvent=0x104) returned 1 [0037.138] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.139] ResetEvent (hEvent=0x108) returned 1 [0037.139] SetEvent (hEvent=0x104) returned 1 [0037.139] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.139] ResetEvent (hEvent=0x108) returned 1 [0037.139] SetEvent (hEvent=0x104) returned 1 [0037.139] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.139] ResetEvent (hEvent=0x108) returned 1 [0037.139] SetEvent (hEvent=0x104) returned 1 [0037.139] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.140] ResetEvent (hEvent=0x108) returned 1 [0037.140] SetEvent (hEvent=0x104) returned 1 [0037.140] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.140] ResetEvent (hEvent=0x108) returned 1 [0037.140] SetEvent (hEvent=0x104) returned 1 [0037.140] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.140] ResetEvent (hEvent=0x108) returned 1 [0037.140] SetEvent (hEvent=0x104) returned 1 [0037.140] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.141] ResetEvent (hEvent=0x108) returned 1 [0037.141] SetEvent (hEvent=0x104) returned 1 [0037.141] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.141] ResetEvent (hEvent=0x108) returned 1 [0037.141] SetEvent (hEvent=0x104) returned 1 [0037.141] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.141] ResetEvent (hEvent=0x108) returned 1 [0037.141] SetEvent (hEvent=0x104) returned 1 [0037.141] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.142] ResetEvent (hEvent=0x108) returned 1 [0037.142] SetEvent (hEvent=0x104) returned 1 [0037.142] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.142] ResetEvent (hEvent=0x108) returned 1 [0037.142] SetEvent (hEvent=0x104) returned 1 [0037.142] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.142] ResetEvent (hEvent=0x108) returned 1 [0037.142] SetEvent (hEvent=0x104) returned 1 [0037.142] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.143] ResetEvent (hEvent=0x108) returned 1 [0037.143] SetEvent (hEvent=0x104) returned 1 [0037.143] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.143] ResetEvent (hEvent=0x108) returned 1 [0037.143] SetEvent (hEvent=0x104) returned 1 [0037.143] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.144] ResetEvent (hEvent=0x108) returned 1 [0037.144] SetEvent (hEvent=0x104) returned 1 [0037.144] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.144] ResetEvent (hEvent=0x108) returned 1 [0037.144] SetEvent (hEvent=0x104) returned 1 [0037.144] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.144] ResetEvent (hEvent=0x108) returned 1 [0037.144] SetEvent (hEvent=0x104) returned 1 [0037.144] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.145] ResetEvent (hEvent=0x108) returned 1 [0037.145] SetEvent (hEvent=0x104) returned 1 [0037.145] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.145] ResetEvent (hEvent=0x108) returned 1 [0037.145] SetEvent (hEvent=0x104) returned 1 [0037.145] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.145] ResetEvent (hEvent=0x108) returned 1 [0037.145] SetEvent (hEvent=0x104) returned 1 [0037.145] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.146] ResetEvent (hEvent=0x108) returned 1 [0037.146] SetEvent (hEvent=0x104) returned 1 [0037.146] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.146] ResetEvent (hEvent=0x108) returned 1 [0037.146] SetEvent (hEvent=0x104) returned 1 [0037.146] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.146] ResetEvent (hEvent=0x108) returned 1 [0037.146] SetEvent (hEvent=0x104) returned 1 [0037.146] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.147] ResetEvent (hEvent=0x108) returned 1 [0037.147] SetEvent (hEvent=0x104) returned 1 [0037.147] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.147] ResetEvent (hEvent=0x108) returned 1 [0037.147] SetEvent (hEvent=0x104) returned 1 [0037.147] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.147] ResetEvent (hEvent=0x108) returned 1 [0037.147] SetEvent (hEvent=0x104) returned 1 [0037.147] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.148] ResetEvent (hEvent=0x108) returned 1 [0037.148] SetEvent (hEvent=0x104) returned 1 [0037.148] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.148] ResetEvent (hEvent=0x108) returned 1 [0037.148] SetEvent (hEvent=0x104) returned 1 [0037.148] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.149] ResetEvent (hEvent=0x108) returned 1 [0037.149] SetEvent (hEvent=0x104) returned 1 [0037.149] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.149] ResetEvent (hEvent=0x108) returned 1 [0037.149] SetEvent (hEvent=0x104) returned 1 [0037.149] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.149] ResetEvent (hEvent=0x108) returned 1 [0037.149] SetEvent (hEvent=0x104) returned 1 [0037.149] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.150] ResetEvent (hEvent=0x108) returned 1 [0037.150] SetEvent (hEvent=0x104) returned 1 [0037.150] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.150] ResetEvent (hEvent=0x108) returned 1 [0037.150] SetEvent (hEvent=0x104) returned 1 [0037.150] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.151] ResetEvent (hEvent=0x108) returned 1 [0037.151] SetEvent (hEvent=0x104) returned 1 [0037.151] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.151] ResetEvent (hEvent=0x108) returned 1 [0037.151] SetEvent (hEvent=0x104) returned 1 [0037.151] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.151] ResetEvent (hEvent=0x108) returned 1 [0037.151] SetEvent (hEvent=0x104) returned 1 [0037.151] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.152] ResetEvent (hEvent=0x108) returned 1 [0037.152] SetEvent (hEvent=0x104) returned 1 [0037.152] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.152] ResetEvent (hEvent=0x108) returned 1 [0037.152] SetEvent (hEvent=0x104) returned 1 [0037.152] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.152] ResetEvent (hEvent=0x108) returned 1 [0037.152] SetEvent (hEvent=0x104) returned 1 [0037.152] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.153] ResetEvent (hEvent=0x108) returned 1 [0037.153] SetEvent (hEvent=0x104) returned 1 [0037.153] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.153] ResetEvent (hEvent=0x108) returned 1 [0037.153] SetEvent (hEvent=0x104) returned 1 [0037.153] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.153] ResetEvent (hEvent=0x108) returned 1 [0037.153] SetEvent (hEvent=0x104) returned 1 [0037.153] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.154] ResetEvent (hEvent=0x108) returned 1 [0037.154] SetEvent (hEvent=0x104) returned 1 [0037.154] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.154] ResetEvent (hEvent=0x108) returned 1 [0037.154] SetEvent (hEvent=0x104) returned 1 [0037.154] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.154] ResetEvent (hEvent=0x108) returned 1 [0037.154] SetEvent (hEvent=0x104) returned 1 [0037.154] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.155] ResetEvent (hEvent=0x108) returned 1 [0037.155] SetEvent (hEvent=0x104) returned 1 [0037.155] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.155] ResetEvent (hEvent=0x108) returned 1 [0037.155] SetEvent (hEvent=0x104) returned 1 [0037.155] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.155] ResetEvent (hEvent=0x108) returned 1 [0037.155] SetEvent (hEvent=0x104) returned 1 [0037.155] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.156] ResetEvent (hEvent=0x108) returned 1 [0037.156] SetEvent (hEvent=0x104) returned 1 [0037.156] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.156] ResetEvent (hEvent=0x108) returned 1 [0037.156] SetEvent (hEvent=0x104) returned 1 [0037.156] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.157] ResetEvent (hEvent=0x108) returned 1 [0037.157] SetEvent (hEvent=0x104) returned 1 [0037.157] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.157] ResetEvent (hEvent=0x108) returned 1 [0037.157] SetEvent (hEvent=0x104) returned 1 [0037.157] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.157] ResetEvent (hEvent=0x108) returned 1 [0037.157] SetEvent (hEvent=0x104) returned 1 [0037.157] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.157] ResetEvent (hEvent=0x108) returned 1 [0037.158] SetEvent (hEvent=0x104) returned 1 [0037.158] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.158] ResetEvent (hEvent=0x108) returned 1 [0037.158] SetEvent (hEvent=0x104) returned 1 [0037.158] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.158] ResetEvent (hEvent=0x108) returned 1 [0037.158] SetEvent (hEvent=0x104) returned 1 [0037.158] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x1f4) returned 0x0 [0037.164] GetExitCodeProcess (in: hProcess=0x188, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.164] NtDuplicateObject (in: SourceProcessHandle=0x188, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.164] NtDuplicateObject (in: SourceProcessHandle=0x188, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x18c) returned 0x0 [0037.168] GetExitCodeProcess (in: hProcess=0x18c, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.169] NtDuplicateObject (in: SourceProcessHandle=0x18c, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.169] NtDuplicateObject (in: SourceProcessHandle=0x18c, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x190) returned 0x0 [0037.224] GetExitCodeProcess (in: hProcess=0x190, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.224] NtDuplicateObject (in: SourceProcessHandle=0x190, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.224] NtDuplicateObject (in: SourceProcessHandle=0x190, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x194) returned 0x0 [0037.228] GetExitCodeProcess (in: hProcess=0x194, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.229] NtDuplicateObject (in: SourceProcessHandle=0x194, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.229] NtDuplicateObject (in: SourceProcessHandle=0x194, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x198) returned 0x0 [0037.239] GetExitCodeProcess (in: hProcess=0x198, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.239] NtDuplicateObject (in: SourceProcessHandle=0x198, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.239] NtDuplicateObject (in: SourceProcessHandle=0x198, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x19c) returned 0x0 [0037.265] GetExitCodeProcess (in: hProcess=0x19c, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.265] NtDuplicateObject (in: SourceProcessHandle=0x19c, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.265] NtDuplicateObject (in: SourceProcessHandle=0x19c, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1a0) returned 0x0 [0037.273] GetExitCodeProcess (in: hProcess=0x1a0, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.273] NtDuplicateObject (in: SourceProcessHandle=0x1a0, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.273] NtDuplicateObject (in: SourceProcessHandle=0x1a0, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1a4) returned 0x0 [0037.326] GetExitCodeProcess (in: hProcess=0x1a4, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.326] NtDuplicateObject (in: SourceProcessHandle=0x1a4, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.327] NtDuplicateObject (in: SourceProcessHandle=0x1a4, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1a8) returned 0x0 [0037.339] GetExitCodeProcess (in: hProcess=0x1a8, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.339] NtDuplicateObject (in: SourceProcessHandle=0x1a8, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.339] NtDuplicateObject (in: SourceProcessHandle=0x1a8, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1ac) returned 0x0 [0037.368] GetExitCodeProcess (in: hProcess=0x1ac, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.368] NtDuplicateObject (in: SourceProcessHandle=0x1ac, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.368] NtDuplicateObject (in: SourceProcessHandle=0x1ac, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1b0) returned 0x0 [0037.461] GetExitCodeProcess (in: hProcess=0x1b0, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.461] NtDuplicateObject (in: SourceProcessHandle=0x1b0, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.461] NtDuplicateObject (in: SourceProcessHandle=0x1b0, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1b4) returned 0x0 [0037.503] GetExitCodeProcess (in: hProcess=0x1b4, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.503] NtDuplicateObject (in: SourceProcessHandle=0x1b4, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.503] NtDuplicateObject (in: SourceProcessHandle=0x1b4, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1b8) returned 0x0 [0037.516] GetExitCodeProcess (in: hProcess=0x1b8, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.516] NtDuplicateObject (in: SourceProcessHandle=0x1b8, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.516] NtDuplicateObject (in: SourceProcessHandle=0x1b8, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1bc) returned 0x0 [0037.602] GetExitCodeProcess (in: hProcess=0x1bc, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.608] GetExitCodeProcess (in: hProcess=0x1c0, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.608] NtDuplicateObject (in: SourceProcessHandle=0x1c0, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.608] NtDuplicateObject (in: SourceProcessHandle=0x1c0, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1c4) returned 0x0 [0037.703] GetExitCodeProcess (in: hProcess=0x1c4, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.703] NtDuplicateObject (in: SourceProcessHandle=0x1c4, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.703] NtDuplicateObject (in: SourceProcessHandle=0x1c4, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1c8) returned 0x0 [0037.706] GetExitCodeProcess (in: hProcess=0x1c8, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.706] NtDuplicateObject (in: SourceProcessHandle=0x1c8, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.706] NtDuplicateObject (in: SourceProcessHandle=0x1c8, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1cc) returned 0x0 [0037.841] GetExitCodeProcess (in: hProcess=0x1cc, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.841] NtDuplicateObject (in: SourceProcessHandle=0x1cc, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.841] NtDuplicateObject (in: SourceProcessHandle=0x1cc, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1d0) returned 0x0 [0037.985] GetExitCodeProcess (in: hProcess=0x1d0, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.985] NtDuplicateObject (in: SourceProcessHandle=0x1d0, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.985] NtDuplicateObject (in: SourceProcessHandle=0x1d0, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1d4) returned 0x0 [0037.989] GetExitCodeProcess (in: hProcess=0x1d4, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0037.989] NtDuplicateObject (in: SourceProcessHandle=0x1d4, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0037.989] NtDuplicateObject (in: SourceProcessHandle=0x1d4, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1d8) returned 0x0 [0038.001] GetExitCodeProcess (in: hProcess=0x1d8, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.001] NtDuplicateObject (in: SourceProcessHandle=0x1d8, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.001] NtDuplicateObject (in: SourceProcessHandle=0x1d8, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1dc) returned 0x0 [0038.002] GetExitCodeProcess (in: hProcess=0x1dc, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.002] NtDuplicateObject (in: SourceProcessHandle=0x1dc, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.002] NtDuplicateObject (in: SourceProcessHandle=0x1dc, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1e0) returned 0x0 [0038.003] GetExitCodeProcess (in: hProcess=0x1e0, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.003] NtDuplicateObject (in: SourceProcessHandle=0x1e0, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.003] NtDuplicateObject (in: SourceProcessHandle=0x1e0, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1e4) returned 0x0 [0038.003] GetExitCodeProcess (in: hProcess=0x1e4, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.003] NtDuplicateObject (in: SourceProcessHandle=0x1e4, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.004] NtDuplicateObject (in: SourceProcessHandle=0x1e4, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1e8) returned 0x0 [0038.005] GetExitCodeProcess (in: hProcess=0x1e8, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.006] NtDuplicateObject (in: SourceProcessHandle=0x1e8, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.006] NtDuplicateObject (in: SourceProcessHandle=0x1e8, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1ec) returned 0x0 [0038.006] GetExitCodeProcess (in: hProcess=0x1ec, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.006] NtDuplicateObject (in: SourceProcessHandle=0x1ec, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.006] NtDuplicateObject (in: SourceProcessHandle=0x1ec, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1f0) returned 0x0 [0038.007] GetExitCodeProcess (in: hProcess=0x1f0, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.007] NtDuplicateObject (in: SourceProcessHandle=0x1f0, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.007] NtDuplicateObject (in: SourceProcessHandle=0x1f0, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1f4) returned 0x0 [0038.008] GetExitCodeProcess (in: hProcess=0x1f4, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.008] NtDuplicateObject (in: SourceProcessHandle=0x1f4, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.008] NtDuplicateObject (in: SourceProcessHandle=0x1f4, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1f8) returned 0x0 [0038.010] GetExitCodeProcess (in: hProcess=0x1f8, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.010] NtDuplicateObject (in: SourceProcessHandle=0x1f8, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.010] NtDuplicateObject (in: SourceProcessHandle=0x1f8, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x1fc) returned 0x0 [0038.011] GetExitCodeProcess (in: hProcess=0x1fc, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.012] GetExitCodeProcess (in: hProcess=0x200, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.012] NtDuplicateObject (in: SourceProcessHandle=0x200, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.012] NtDuplicateObject (in: SourceProcessHandle=0x200, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x204) returned 0x0 [0038.013] GetExitCodeProcess (in: hProcess=0x204, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.013] NtDuplicateObject (in: SourceProcessHandle=0x204, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.013] NtDuplicateObject (in: SourceProcessHandle=0x204, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x208) returned 0x0 [0038.056] GetExitCodeProcess (in: hProcess=0x208, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.056] NtDuplicateObject (in: SourceProcessHandle=0x208, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.057] NtDuplicateObject (in: SourceProcessHandle=0x208, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x20c) returned 0x0 [0038.057] GetExitCodeProcess (in: hProcess=0x20c, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.057] NtDuplicateObject (in: SourceProcessHandle=0x20c, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.057] NtDuplicateObject (in: SourceProcessHandle=0x20c, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x210) returned 0x0 [0038.060] GetExitCodeProcess (in: hProcess=0x210, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.060] NtDuplicateObject (in: SourceProcessHandle=0x210, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.060] NtDuplicateObject (in: SourceProcessHandle=0x210, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x214) returned 0x0 [0038.061] GetExitCodeProcess (in: hProcess=0x214, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.061] NtDuplicateObject (in: SourceProcessHandle=0x214, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.061] NtDuplicateObject (in: SourceProcessHandle=0x214, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x218) returned 0x0 [0038.062] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.062] NtDuplicateObject (in: SourceProcessHandle=0x218, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.062] NtDuplicateObject (in: SourceProcessHandle=0x218, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x21c) returned 0x0 [0038.063] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.063] NtDuplicateObject (in: SourceProcessHandle=0x21c, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.063] NtDuplicateObject (in: SourceProcessHandle=0x21c, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x220) returned 0x0 [0038.064] GetExitCodeProcess (in: hProcess=0x220, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.064] NtDuplicateObject (in: SourceProcessHandle=0x220, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.064] NtDuplicateObject (in: SourceProcessHandle=0x220, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x224) returned 0x0 [0038.065] GetExitCodeProcess (in: hProcess=0x224, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.065] NtDuplicateObject (in: SourceProcessHandle=0x224, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.065] NtDuplicateObject (in: SourceProcessHandle=0x224, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x228) returned 0x0 [0038.066] GetExitCodeProcess (in: hProcess=0x228, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.066] NtDuplicateObject (in: SourceProcessHandle=0x228, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.066] NtDuplicateObject (in: SourceProcessHandle=0x228, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x22c) returned 0x0 [0038.068] GetExitCodeProcess (in: hProcess=0x22c, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.068] NtDuplicateObject (in: SourceProcessHandle=0x22c, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.068] NtDuplicateObject (in: SourceProcessHandle=0x22c, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x230) returned 0x0 [0038.070] GetExitCodeProcess (in: hProcess=0x230, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.070] NtDuplicateObject (in: SourceProcessHandle=0x230, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.070] NtDuplicateObject (in: SourceProcessHandle=0x230, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x234) returned 0x0 [0038.072] GetExitCodeProcess (in: hProcess=0x234, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.072] NtDuplicateObject (in: SourceProcessHandle=0x234, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.072] NtDuplicateObject (in: SourceProcessHandle=0x234, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x238) returned 0x0 [0038.076] GetExitCodeProcess (in: hProcess=0x238, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.076] NtDuplicateObject (in: SourceProcessHandle=0x238, SourceHandle=0x4, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x0) returned 0xc0000022 [0038.076] NtDuplicateObject (in: SourceProcessHandle=0x238, SourceHandle=0x8, TargetProcessHandle=0xffffffff, TargetHandle=0x151f648, DesiredAccess=0x80000000, HandleAttributes=0x0, Options=0x0 | out: TargetHandle=0x151f648*=0x23c) returned 0x0 [0038.078] GetExitCodeProcess (in: hProcess=0x23c, lpExitCode=0x151f5e8 | out: lpExitCode=0x151f5e8*=0x103) returned 1 [0038.083] GetProcessImageFileNameW (in: hProcess=0x17c, lpImageFileName=0xb348b0, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\smss.exe") returned 0x31 [0038.083] GetProcessTimes (in: hProcess=0x17c, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0038.084] OpenProcessToken (in: ProcessHandle=0x17c, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0038.084] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0038.084] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xb36168, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xb36168, ReturnLength=0x151f550) returned 1 [0038.084] GetSidSubAuthorityCount (pSid=0xb36170*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xb36171 [0038.084] GetSidSubAuthority (pSid=0xb36170*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xb36178 [0038.089] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x77860000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x64, SectionFileName.MaximumLength=0x66, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll"), ResultLength=0x0) returned 0x0 [0038.090] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x77963000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77963000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x2f000), ResultLength=0x0) returned 0x0 [0038.090] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x77992000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77992000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.090] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x77993000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77993000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.091] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x77994000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77994000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.091] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x77995000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77995000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.091] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x77997000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77997000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.091] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x77998000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77998000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.091] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x77999000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77999000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.092] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x7799b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7799b000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x3000), ResultLength=0x0) returned 0x0 [0038.092] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x7799e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7799e000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x6b000), ResultLength=0x0) returned 0x0 [0038.092] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x77a09000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77a09000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x75d7000), ResultLength=0x0) returned 0x0 [0038.092] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x7efe0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7efe0000, AllocationBase=0x0, AllocationProtect=0x7efe0000, RegionSize=0x0, State=0x2, Protect=0xfffff8a0, Type=0x1000000), ResultLength=0x0) returned 0x0 [0038.093] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x7ffe0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7ffe0000, AllocationBase=0x0, AllocationProtect=0x7ffe0000, RegionSize=0x0, State=0x2, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.093] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x7ffe1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7ffe1000, AllocationBase=0x0, AllocationProtect=0x7ffe0000, RegionSize=0x0, State=0x2, Protect=0xfffff8a0, Type=0xf000), ResultLength=0x0) returned 0x0 [0038.093] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x7fff0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7fff0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x7fb90000), ResultLength=0x0) returned 0x0 [0038.093] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x7feffb80000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb80000, AllocationBase=0x7fe, AllocationProtect=0xffb80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.093] NtQueryVirtualMemory (in: ProcessHandle=0x17c, Address=0x7feffb80000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x72, SectionFileName.MaximumLength=0x74, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\apisetschema.dll"), ResultLength=0x0) returned 0x0 [0038.095] GetProcessImageFileNameW (in: hProcess=0x148, lpImageFileName=0xb348b0, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\csrss.exe") returned 0x32 [0038.095] GetProcessTimes (in: hProcess=0x148, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0038.095] OpenProcessToken (in: ProcessHandle=0x148, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0038.095] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0038.095] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0038.095] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0038.095] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0038.099] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x776c2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x776c2000, AllocationBase=0x0, AllocationProtect=0x77640000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x10000), ResultLength=0x0) returned 0x0 [0038.099] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x776d2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x776d2000, AllocationBase=0x0, AllocationProtect=0x77640000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.099] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x776d4000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x776d4000, AllocationBase=0x0, AllocationProtect=0x77640000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x66000), ResultLength=0x0) returned 0x0 [0038.099] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7773a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7773a000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x6000), ResultLength=0x0) returned 0x0 [0038.099] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x77740000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77740000, AllocationBase=0x0, AllocationProtect=0x77740000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.099] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x77740000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x6a, SectionFileName.MaximumLength=0x6c, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll"), ResultLength=0x0) returned 0x0 [0038.100] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x777dc000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x777dc000, AllocationBase=0x0, AllocationProtect=0x77740000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x6e000), ResultLength=0x0) returned 0x0 [0038.100] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7784a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7784a000, AllocationBase=0x0, AllocationProtect=0x77740000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.100] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7784c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7784c000, AllocationBase=0x0, AllocationProtect=0x77740000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x13000), ResultLength=0x0) returned 0x0 [0038.100] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7785f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7785f000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.100] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x77860000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77860000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.100] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x77860000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x64, SectionFileName.MaximumLength=0x66, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll"), ResultLength=0x0) returned 0x0 [0038.100] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x77963000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77963000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x2f000), ResultLength=0x0) returned 0x0 [0038.100] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x77992000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77992000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.100] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x77993000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77993000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.100] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x77994000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77994000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.100] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x77995000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77995000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.100] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x77997000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77997000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.100] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x77998000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77998000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.101] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x77999000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77999000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.101] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7799b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7799b000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x3000), ResultLength=0x0) returned 0x0 [0038.101] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7799e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7799e000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x6b000), ResultLength=0x0) returned 0x0 [0038.101] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x77a09000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77a09000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x75d7000), ResultLength=0x0) returned 0x0 [0038.101] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7efe0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7efe0000, AllocationBase=0x0, AllocationProtect=0x7efe0000, RegionSize=0x0, State=0x4, Protect=0xfffff8a0, Type=0x5000), ResultLength=0x0) returned 0x0 [0038.101] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7efe0000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8, ResultLength=0x0) returned 0xc0000098 [0038.101] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7efe5000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7efe5000, AllocationBase=0x0, AllocationProtect=0x7efe0000, RegionSize=0x0, State=0x4, Protect=0xfffff8a0, Type=0xfb000), ResultLength=0x0) returned 0x0 [0038.101] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7f0e0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7f0e0000, AllocationBase=0x0, AllocationProtect=0x7f0e0000, RegionSize=0x0, State=0x2, Protect=0xfffff8a0, Type=0xf00000), ResultLength=0x0) returned 0x0 [0038.101] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7ffe0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7ffe0000, AllocationBase=0x0, AllocationProtect=0x7ffe0000, RegionSize=0x0, State=0x2, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.101] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7ffe1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7ffe1000, AllocationBase=0x0, AllocationProtect=0x7ffe0000, RegionSize=0x0, State=0x2, Protect=0xfffff8a0, Type=0xf000), ResultLength=0x0) returned 0x0 [0038.101] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fff0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7fff0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x7d6b0000), ResultLength=0x0) returned 0x0 [0038.101] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefd6a0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd6a0000, AllocationBase=0x7fe, AllocationProtect=0xfd6a0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.101] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefd6a0000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x6c, SectionFileName.MaximumLength=0x6e, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\cryptbase.dll"), ResultLength=0x0) returned 0x0 [0038.101] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefd6ab000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd6ab000, AllocationBase=0x7fe, AllocationProtect=0xfd6a0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.101] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefd6ac000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd6ac000, AllocationBase=0x7fe, AllocationProtect=0xfd6a0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x3000), ResultLength=0x0) returned 0x0 [0038.101] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefd6af000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd6af000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.102] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefd6b0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd6b0000, AllocationBase=0x7fe, AllocationProtect=0xfd6b0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.102] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefd6b0000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x60, SectionFileName.MaximumLength=0x62, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\sxs.dll"), ResultLength=0x0) returned 0x0 [0038.102] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefd713000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd713000, AllocationBase=0x7fe, AllocationProtect=0xfd6b0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x25000), ResultLength=0x0) returned 0x0 [0038.102] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefd738000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd738000, AllocationBase=0x7fe, AllocationProtect=0xfd6b0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.102] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefd739000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd739000, AllocationBase=0x7fe, AllocationProtect=0xfd6b0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x8000), ResultLength=0x0) returned 0x0 [0038.102] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefd741000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd741000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x7f000), ResultLength=0x0) returned 0x0 [0038.102] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefd7c0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd7c0000, AllocationBase=0x7fe, AllocationProtect=0xfd7c0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.102] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefd7c0000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x66, SectionFileName.MaximumLength=0x68, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\sxssrv.dll"), ResultLength=0x0) returned 0x0 [0038.104] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefd94a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd94a000, AllocationBase=0x7fe, AllocationProtect=0xfd900000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x16000), ResultLength=0x0) returned 0x0 [0038.104] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefd960000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd960000, AllocationBase=0x7fe, AllocationProtect=0xfd900000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.104] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefd962000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd962000, AllocationBase=0x7fe, AllocationProtect=0xfd900000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x9000), ResultLength=0x0) returned 0x0 [0038.104] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefd96b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd96b000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x215000), ResultLength=0x0) returned 0x0 [0038.104] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefdb80000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdb80000, AllocationBase=0x7fe, AllocationProtect=0xfdb80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.104] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefdb80000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x64, SectionFileName.MaximumLength=0x66, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\usp10.dll"), ResultLength=0x0) returned 0x0 [0038.104] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefdc03000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdc03000, AllocationBase=0x7fe, AllocationProtect=0xfdb80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.104] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefdc04000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdc04000, AllocationBase=0x7fe, AllocationProtect=0xfdb80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.104] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefdc05000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdc05000, AllocationBase=0x7fe, AllocationProtect=0xfdb80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.104] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefdc06000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdc06000, AllocationBase=0x7fe, AllocationProtect=0xfdb80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x43000), ResultLength=0x0) returned 0x0 [0038.104] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefdc49000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdc49000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0xe7000), ResultLength=0x0) returned 0x0 [0038.104] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefdd30000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdd30000, AllocationBase=0x7fe, AllocationProtect=0xfdd30000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.104] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefdd30000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x60, SectionFileName.MaximumLength=0x62, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\lpk.dll"), ResultLength=0x0) returned 0x0 [0038.105] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefdd38000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdd38000, AllocationBase=0x7fe, AllocationProtect=0xfdd30000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.105] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefdd3a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdd3a000, AllocationBase=0x7fe, AllocationProtect=0xfdd30000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.105] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefdd3b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdd3b000, AllocationBase=0x7fe, AllocationProtect=0xfdd30000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x3000), ResultLength=0x0) returned 0x0 [0038.105] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefdd3e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdd3e000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0xfd2000), ResultLength=0x0) returned 0x0 [0038.105] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefed10000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfed10000, AllocationBase=0x7fe, AllocationProtect=0xfed10000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.105] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefed10000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x64, SectionFileName.MaximumLength=0x66, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\gdi32.dll"), ResultLength=0x0) returned 0x0 [0038.105] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefed62000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfed62000, AllocationBase=0x7fe, AllocationProtect=0xfed10000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0xa000), ResultLength=0x0) returned 0x0 [0038.105] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefed6c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfed6c000, AllocationBase=0x7fe, AllocationProtect=0xfed10000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.105] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefed6d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfed6d000, AllocationBase=0x7fe, AllocationProtect=0xfed10000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.105] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefed6e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfed6e000, AllocationBase=0x7fe, AllocationProtect=0xfed10000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x9000), ResultLength=0x0) returned 0x0 [0038.105] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7fefed77000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfed77000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x459000), ResultLength=0x0) returned 0x0 [0038.105] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7feff1d0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff1d0000, AllocationBase=0x7fe, AllocationProtect=0xff1d0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.105] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7feff1d0000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x66, SectionFileName.MaximumLength=0x68, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\rpcrt4.dll"), ResultLength=0x0) returned 0x0 [0038.106] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7feff2b3000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff2b3000, AllocationBase=0x7fe, AllocationProtect=0xff1d0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x2c000), ResultLength=0x0) returned 0x0 [0038.106] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7feff2df000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff2df000, AllocationBase=0x7fe, AllocationProtect=0xff1d0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.106] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7feff2e1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff2e1000, AllocationBase=0x7fe, AllocationProtect=0xff1d0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1c000), ResultLength=0x0) returned 0x0 [0038.106] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7feff2fd000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff2fd000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x783000), ResultLength=0x0) returned 0x0 [0038.106] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7feffa80000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffa80000, AllocationBase=0x7fe, AllocationProtect=0xffa80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.106] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7feffa80000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x66, SectionFileName.MaximumLength=0x68, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\msvcrt.dll"), ResultLength=0x0) returned 0x0 [0038.106] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7feffafa000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffafa000, AllocationBase=0x7fe, AllocationProtect=0xffa80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x17000), ResultLength=0x0) returned 0x0 [0038.106] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7feffb11000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb11000, AllocationBase=0x7fe, AllocationProtect=0xffa80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.106] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7feffb13000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb13000, AllocationBase=0x7fe, AllocationProtect=0xffa80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.106] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7feffb14000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb14000, AllocationBase=0x7fe, AllocationProtect=0xffa80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.106] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7feffb15000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb15000, AllocationBase=0x7fe, AllocationProtect=0xffa80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.106] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7feffb17000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb17000, AllocationBase=0x7fe, AllocationProtect=0xffa80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x8000), ResultLength=0x0) returned 0x0 [0038.107] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7feffb1f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb1f000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x61000), ResultLength=0x0) returned 0x0 [0038.107] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7feffb80000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb80000, AllocationBase=0x7fe, AllocationProtect=0xffb80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.107] NtQueryVirtualMemory (in: ProcessHandle=0x148, Address=0x7feffb80000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x72, SectionFileName.MaximumLength=0x74, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\apisetschema.dll"), ResultLength=0x0) returned 0x0 [0038.107] GetProcessImageFileNameW (in: hProcess=0x188, lpImageFileName=0xb207d0, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\wininit.exe") returned 0x34 [0038.108] GetProcessTimes (in: hProcess=0x188, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0038.108] OpenProcessToken (in: ProcessHandle=0x188, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0038.108] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0038.108] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0038.108] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0038.108] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0038.110] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x776c2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x776c2000, AllocationBase=0x0, AllocationProtect=0x77640000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x10000), ResultLength=0x0) returned 0x0 [0038.110] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x776d2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x776d2000, AllocationBase=0x0, AllocationProtect=0x77640000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.110] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x776d4000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x776d4000, AllocationBase=0x0, AllocationProtect=0x77640000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x66000), ResultLength=0x0) returned 0x0 [0038.110] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7773a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7773a000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x6000), ResultLength=0x0) returned 0x0 [0038.110] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x77740000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77740000, AllocationBase=0x0, AllocationProtect=0x77740000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.110] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x77740000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x6a, SectionFileName.MaximumLength=0x6c, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll"), ResultLength=0x0) returned 0x0 [0038.110] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x777dc000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x777dc000, AllocationBase=0x0, AllocationProtect=0x77740000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x6e000), ResultLength=0x0) returned 0x0 [0038.110] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7784a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7784a000, AllocationBase=0x0, AllocationProtect=0x77740000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.110] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7784c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7784c000, AllocationBase=0x0, AllocationProtect=0x77740000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x13000), ResultLength=0x0) returned 0x0 [0038.110] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7785f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7785f000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.110] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x77860000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77860000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.110] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x77860000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x64, SectionFileName.MaximumLength=0x66, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\ntdll.dll"), ResultLength=0x0) returned 0x0 [0038.111] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x77963000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77963000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x2f000), ResultLength=0x0) returned 0x0 [0038.111] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x77992000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77992000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.111] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x77993000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77993000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.111] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x77994000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77994000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.111] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x77995000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77995000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.111] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x77997000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77997000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.111] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x77998000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77998000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.111] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x77999000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77999000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.111] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7799b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7799b000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x3000), ResultLength=0x0) returned 0x0 [0038.111] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7799e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7799e000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x6b000), ResultLength=0x0) returned 0x0 [0038.111] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x77a09000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77a09000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x75d7000), ResultLength=0x0) returned 0x0 [0038.111] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7efe0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7efe0000, AllocationBase=0x0, AllocationProtect=0x7efe0000, RegionSize=0x0, State=0x2, Protect=0xfffff8a0, Type=0x5000), ResultLength=0x0) returned 0x0 [0038.112] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7efe0000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8, ResultLength=0x0) returned 0xc0000098 [0038.112] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7efe5000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7efe5000, AllocationBase=0x0, AllocationProtect=0x7efe0000, RegionSize=0x0, State=0x2, Protect=0xfffff8a0, Type=0xfb000), ResultLength=0x0) returned 0x0 [0038.112] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7f0e0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7f0e0000, AllocationBase=0x0, AllocationProtect=0x7f0e0000, RegionSize=0x0, State=0x2, Protect=0xfffff8a0, Type=0xf00000), ResultLength=0x0) returned 0x0 [0038.112] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7ffe0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7ffe0000, AllocationBase=0x0, AllocationProtect=0x7ffe0000, RegionSize=0x0, State=0x2, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.112] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7ffe1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7ffe1000, AllocationBase=0x0, AllocationProtect=0x7ffe0000, RegionSize=0x0, State=0x2, Protect=0xfffff8a0, Type=0xf000), ResultLength=0x0) returned 0x0 [0038.112] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fff0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7fff0000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x7f4d0000), ResultLength=0x0) returned 0x0 [0038.112] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0xff4c0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff4c0000, AllocationBase=0x0, AllocationProtect=0xff4c0000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.112] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0xff4c0000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x68, SectionFileName.MaximumLength=0x6a, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\wininit.exe"), ResultLength=0x0) returned 0x0 [0038.113] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd084000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd084000, AllocationBase=0x7fe, AllocationProtect=0xfd040000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x9000), ResultLength=0x0) returned 0x0 [0038.113] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd08d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd08d000, AllocationBase=0x7fe, AllocationProtect=0xfd040000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.113] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd08f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd08f000, AllocationBase=0x7fe, AllocationProtect=0xfd040000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.113] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd090000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd090000, AllocationBase=0x7fe, AllocationProtect=0xfd040000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x5000), ResultLength=0x0) returned 0x0 [0038.113] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd095000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd095000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x5ab000), ResultLength=0x0) returned 0x0 [0038.113] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd640000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd640000, AllocationBase=0x7fe, AllocationProtect=0xfd640000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.113] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd640000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x68, SectionFileName.MaximumLength=0x6a, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\secur32.dll"), ResultLength=0x0) returned 0x0 [0038.114] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd688000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd688000, AllocationBase=0x7fe, AllocationProtect=0xfd670000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x7000), ResultLength=0x0) returned 0x0 [0038.114] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd68f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd68f000, AllocationBase=0x7fe, AllocationProtect=0xfd670000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.114] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd690000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd690000, AllocationBase=0x7fe, AllocationProtect=0xfd670000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.114] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd691000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd691000, AllocationBase=0x7fe, AllocationProtect=0xfd670000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x4000), ResultLength=0x0) returned 0x0 [0038.114] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd695000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd695000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0xb000), ResultLength=0x0) returned 0x0 [0038.114] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd6a0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd6a0000, AllocationBase=0x7fe, AllocationProtect=0xfd6a0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.114] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd6a0000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x6c, SectionFileName.MaximumLength=0x6e, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\cryptbase.dll"), ResultLength=0x0) returned 0x0 [0038.115] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd6ab000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd6ab000, AllocationBase=0x7fe, AllocationProtect=0xfd6a0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.115] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd6ac000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd6ac000, AllocationBase=0x7fe, AllocationProtect=0xfd6a0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x3000), ResultLength=0x0) returned 0x0 [0038.115] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd6af000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd6af000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0xe1000), ResultLength=0x0) returned 0x0 [0038.115] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd790000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd790000, AllocationBase=0x7fe, AllocationProtect=0xfd790000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.115] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd790000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x70, SectionFileName.MaximumLength=0x72, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\RpcRtRemote.dll"), ResultLength=0x0) returned 0x0 [0038.115] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd79b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd79b000, AllocationBase=0x7fe, AllocationProtect=0xfd790000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x5000), ResultLength=0x0) returned 0x0 [0038.115] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd7a0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd7a0000, AllocationBase=0x7fe, AllocationProtect=0xfd790000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.115] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd7a1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd7a1000, AllocationBase=0x7fe, AllocationProtect=0xfd790000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x3000), ResultLength=0x0) returned 0x0 [0038.115] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd7a4000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd7a4000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0xc000), ResultLength=0x0) returned 0x0 [0038.115] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd7b0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd7b0000, AllocationBase=0x7fe, AllocationProtect=0xfd7b0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.115] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd7b0000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x68, SectionFileName.MaximumLength=0x6a, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\profapi.dll"), ResultLength=0x0) returned 0x0 [0038.116] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd7b8000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd7b8000, AllocationBase=0x7fe, AllocationProtect=0xfd7b0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x3000), ResultLength=0x0) returned 0x0 [0038.116] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd7bb000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd7bb000, AllocationBase=0x7fe, AllocationProtect=0xfd7b0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.116] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd7bc000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd7bc000, AllocationBase=0x7fe, AllocationProtect=0xfd7b0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x3000), ResultLength=0x0) returned 0x0 [0038.116] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd7bf000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd7bf000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x141000), ResultLength=0x0) returned 0x0 [0038.116] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd900000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd900000, AllocationBase=0x7fe, AllocationProtect=0xfd900000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.116] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd900000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x6e, SectionFileName.MaximumLength=0x70, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\KernelBase.dll"), ResultLength=0x0) returned 0x0 [0038.116] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd94a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd94a000, AllocationBase=0x7fe, AllocationProtect=0xfd900000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x16000), ResultLength=0x0) returned 0x0 [0038.116] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd960000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd960000, AllocationBase=0x7fe, AllocationProtect=0xfd900000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.116] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd962000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd962000, AllocationBase=0x7fe, AllocationProtect=0xfd900000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x9000), ResultLength=0x0) returned 0x0 [0038.116] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefd96b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfd96b000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x215000), ResultLength=0x0) returned 0x0 [0038.116] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdb80000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdb80000, AllocationBase=0x7fe, AllocationProtect=0xfdb80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.116] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdb80000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x64, SectionFileName.MaximumLength=0x66, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\usp10.dll"), ResultLength=0x0) returned 0x0 [0038.117] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdc03000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdc03000, AllocationBase=0x7fe, AllocationProtect=0xfdb80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.117] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdc04000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdc04000, AllocationBase=0x7fe, AllocationProtect=0xfdb80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.117] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdc05000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdc05000, AllocationBase=0x7fe, AllocationProtect=0xfdb80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.117] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdc06000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdc06000, AllocationBase=0x7fe, AllocationProtect=0xfdb80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x43000), ResultLength=0x0) returned 0x0 [0038.117] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdc49000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdc49000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0xe7000), ResultLength=0x0) returned 0x0 [0038.117] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdd30000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdd30000, AllocationBase=0x7fe, AllocationProtect=0xfdd30000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.117] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdd30000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x60, SectionFileName.MaximumLength=0x62, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\lpk.dll"), ResultLength=0x0) returned 0x0 [0038.117] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdd38000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdd38000, AllocationBase=0x7fe, AllocationProtect=0xfdd30000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.117] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdd3a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdd3a000, AllocationBase=0x7fe, AllocationProtect=0xfdd30000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.117] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdd3b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdd3b000, AllocationBase=0x7fe, AllocationProtect=0xfdd30000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x3000), ResultLength=0x0) returned 0x0 [0038.117] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdd3e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdd3e000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.117] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdd40000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdd40000, AllocationBase=0x7fe, AllocationProtect=0xfdd40000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.117] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdd40000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x64, SectionFileName.MaximumLength=0x66, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\imm32.dll"), ResultLength=0x0) returned 0x0 [0038.118] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdd5d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdd5d000, AllocationBase=0x7fe, AllocationProtect=0xfdd40000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x5000), ResultLength=0x0) returned 0x0 [0038.118] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdd62000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdd62000, AllocationBase=0x7fe, AllocationProtect=0xfdd40000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.118] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdd63000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdd63000, AllocationBase=0x7fe, AllocationProtect=0xfdd40000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.118] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdd64000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdd64000, AllocationBase=0x7fe, AllocationProtect=0xfdd40000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0xa000), ResultLength=0x0) returned 0x0 [0038.118] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdd6e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdd6e000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x182000), ResultLength=0x0) returned 0x0 [0038.118] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdef0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfdef0000, AllocationBase=0x7fe, AllocationProtect=0xfdef0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.118] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefdef0000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x60, SectionFileName.MaximumLength=0x62, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\nsi.dll"), ResultLength=0x0) returned 0x0 [0038.182] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefed62000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfed62000, AllocationBase=0x7fe, AllocationProtect=0xfed10000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0xa000), ResultLength=0x0) returned 0x0 [0038.182] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefed6c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfed6c000, AllocationBase=0x7fe, AllocationProtect=0xfed10000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.182] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefed6d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfed6d000, AllocationBase=0x7fe, AllocationProtect=0xfed10000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.182] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefed6e000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfed6e000, AllocationBase=0x7fe, AllocationProtect=0xfed10000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x9000), ResultLength=0x0) returned 0x0 [0038.182] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefed77000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfed77000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x9000), ResultLength=0x0) returned 0x0 [0038.182] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefed80000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfed80000, AllocationBase=0x7fe, AllocationProtect=0xfed80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.183] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefed80000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x64, SectionFileName.MaximumLength=0x66, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\msctf.dll"), ResultLength=0x0) returned 0x0 [0038.183] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefee21000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfee21000, AllocationBase=0x7fe, AllocationProtect=0xfed80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x18000), ResultLength=0x0) returned 0x0 [0038.183] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefee39000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfee39000, AllocationBase=0x7fe, AllocationProtect=0xfed80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.183] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefee3a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfee3a000, AllocationBase=0x7fe, AllocationProtect=0xfed80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.183] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefee3c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfee3c000, AllocationBase=0x7fe, AllocationProtect=0xfed80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x4d000), ResultLength=0x0) returned 0x0 [0038.183] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7fefee89000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xfee89000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x267000), ResultLength=0x0) returned 0x0 [0038.183] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff0f0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff0f0000, AllocationBase=0x7fe, AllocationProtect=0xff0f0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.183] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff0f0000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x6a, SectionFileName.MaximumLength=0x6c, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\advapi32.dll"), ResultLength=0x0) returned 0x0 [0038.183] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff166000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff166000, AllocationBase=0x7fe, AllocationProtect=0xff0f0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x32000), ResultLength=0x0) returned 0x0 [0038.183] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff198000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff198000, AllocationBase=0x7fe, AllocationProtect=0xff0f0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x3000), ResultLength=0x0) returned 0x0 [0038.183] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff19b000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff19b000, AllocationBase=0x7fe, AllocationProtect=0xff0f0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.184] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff19d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff19d000, AllocationBase=0x7fe, AllocationProtect=0xff0f0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x2e000), ResultLength=0x0) returned 0x0 [0038.184] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff1cb000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff1cb000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x5000), ResultLength=0x0) returned 0x0 [0038.184] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff1d0000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff1d0000, AllocationBase=0x7fe, AllocationProtect=0xff1d0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.184] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff1d0000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x66, SectionFileName.MaximumLength=0x68, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\rpcrt4.dll"), ResultLength=0x0) returned 0x0 [0038.184] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff2b3000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff2b3000, AllocationBase=0x7fe, AllocationProtect=0xff1d0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x2c000), ResultLength=0x0) returned 0x0 [0038.184] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff2df000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff2df000, AllocationBase=0x7fe, AllocationProtect=0xff1d0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.184] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff2e1000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff2e1000, AllocationBase=0x7fe, AllocationProtect=0xff1d0000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1c000), ResultLength=0x0) returned 0x0 [0038.184] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff2fd000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff2fd000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x553000), ResultLength=0x0) returned 0x0 [0038.184] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff850000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff850000, AllocationBase=0x7fe, AllocationProtect=0xff850000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.184] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff850000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x68, SectionFileName.MaximumLength=0x6a, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\sechost.dll"), ResultLength=0x0) returned 0x0 [0038.184] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff869000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff869000, AllocationBase=0x7fe, AllocationProtect=0xff850000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x3000), ResultLength=0x0) returned 0x0 [0038.184] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff86c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff86c000, AllocationBase=0x7fe, AllocationProtect=0xff850000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x3000), ResultLength=0x0) returned 0x0 [0038.185] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feff86f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xff86f000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x211000), ResultLength=0x0) returned 0x0 [0038.185] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feffa80000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffa80000, AllocationBase=0x7fe, AllocationProtect=0xffa80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.185] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feffa80000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x66, SectionFileName.MaximumLength=0x68, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\msvcrt.dll"), ResultLength=0x0) returned 0x0 [0038.185] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feffafa000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffafa000, AllocationBase=0x7fe, AllocationProtect=0xffa80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x17000), ResultLength=0x0) returned 0x0 [0038.185] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feffb11000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb11000, AllocationBase=0x7fe, AllocationProtect=0xffa80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.185] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feffb13000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb13000, AllocationBase=0x7fe, AllocationProtect=0xffa80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.185] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feffb14000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb14000, AllocationBase=0x7fe, AllocationProtect=0xffa80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.185] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feffb15000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb15000, AllocationBase=0x7fe, AllocationProtect=0xffa80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.185] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feffb17000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb17000, AllocationBase=0x7fe, AllocationProtect=0xffa80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x8000), ResultLength=0x0) returned 0x0 [0038.185] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feffb1f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb1f000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.185] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feffb20000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb20000, AllocationBase=0x7fe, AllocationProtect=0xffb20000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.185] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feffb20000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x66, SectionFileName.MaximumLength=0x68, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\ws2_32.dll"), ResultLength=0x0) returned 0x0 [0038.186] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feffb51000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb51000, AllocationBase=0x7fe, AllocationProtect=0xffb20000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0xb000), ResultLength=0x0) returned 0x0 [0038.186] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feffb5c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb5c000, AllocationBase=0x7fe, AllocationProtect=0xffb20000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.186] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feffb5d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb5d000, AllocationBase=0x7fe, AllocationProtect=0xffb20000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x10000), ResultLength=0x0) returned 0x0 [0038.186] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feffb6d000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb6d000, AllocationBase=0x7fe, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x13000), ResultLength=0x0) returned 0x0 [0038.186] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feffb80000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0xffb80000, AllocationBase=0x7fe, AllocationProtect=0xffb80000, RegionSize=0x7fe, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.186] NtQueryVirtualMemory (in: ProcessHandle=0x188, Address=0x7feffb80000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x72, SectionFileName.MaximumLength=0x74, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\apisetschema.dll"), ResultLength=0x0) returned 0x0 [0038.186] GetProcessImageFileNameW (in: hProcess=0x18c, lpImageFileName=0xb227d0, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\csrss.exe") returned 0x32 [0038.186] GetProcessTimes (in: hProcess=0x18c, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0038.186] OpenProcessToken (in: ProcessHandle=0x18c, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0038.186] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0038.186] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0038.186] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0038.186] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0038.192] NtQueryVirtualMemory (in: ProcessHandle=0x18c, Address=0x776c2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x776c2000, AllocationBase=0x0, AllocationProtect=0x77640000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x10000), ResultLength=0x0) returned 0x0 [0038.192] NtQueryVirtualMemory (in: ProcessHandle=0x18c, Address=0x776d2000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x776d2000, AllocationBase=0x0, AllocationProtect=0x77640000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.192] NtQueryVirtualMemory (in: ProcessHandle=0x18c, Address=0x776d4000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x776d4000, AllocationBase=0x0, AllocationProtect=0x77640000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x66000), ResultLength=0x0) returned 0x0 [0038.192] NtQueryVirtualMemory (in: ProcessHandle=0x18c, Address=0x7773a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7773a000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x6000), ResultLength=0x0) returned 0x0 [0038.192] NtQueryVirtualMemory (in: ProcessHandle=0x18c, Address=0x77740000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77740000, AllocationBase=0x0, AllocationProtect=0x77740000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.193] NtQueryVirtualMemory (in: ProcessHandle=0x18c, Address=0x77740000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xb1dfc8, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xb1dfc8*(SectionFileName.Length=0x6a, SectionFileName.MaximumLength=0x6c, SectionFileName.Buffer="\\Device\\HarddiskVolume1\\Windows\\System32\\kernel32.dll"), ResultLength=0x0) returned 0x0 [0038.193] NtQueryVirtualMemory (in: ProcessHandle=0x18c, Address=0x777dc000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x777dc000, AllocationBase=0x0, AllocationProtect=0x77740000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x6e000), ResultLength=0x0) returned 0x0 [0038.193] NtQueryVirtualMemory (in: ProcessHandle=0x18c, Address=0x7784a000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7784a000, AllocationBase=0x0, AllocationProtect=0x77740000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x2000), ResultLength=0x0) returned 0x0 [0038.193] NtQueryVirtualMemory (in: ProcessHandle=0x18c, Address=0x7784c000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7784c000, AllocationBase=0x0, AllocationProtect=0x77740000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x13000), ResultLength=0x0) returned 0x0 [0038.193] NtQueryVirtualMemory (in: ProcessHandle=0x18c, Address=0x7785f000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x7785f000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0x0, State=0x0, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.193] NtQueryVirtualMemory (in: ProcessHandle=0x18c, Address=0x77860000, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0xb36120, Length=0x30, ResultLength=0x0 | out: VirtualMemoryInformation=0xb36120*(BaseAddress=0x77860000, AllocationBase=0x0, AllocationProtect=0x77860000, RegionSize=0x0, State=0x80, Protect=0xfffff8a0, Type=0x1000), ResultLength=0x0) returned 0x0 [0038.198] GetProcessImageFileNameW (in: hProcess=0x190, lpImageFileName=0xb22fd0, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\winlogon.exe") returned 0x35 [0038.198] GetProcessTimes (in: hProcess=0x190, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0038.198] OpenProcessToken (in: ProcessHandle=0x190, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0038.198] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0038.199] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0038.199] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0038.199] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0038.212] GetProcessImageFileNameW (in: hProcess=0x194, lpImageFileName=0xb25c18, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\services.exe") returned 0x35 [0038.212] GetProcessTimes (in: hProcess=0x194, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0038.212] OpenProcessToken (in: ProcessHandle=0x194, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0038.212] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0038.212] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0038.213] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0038.213] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0038.295] GetProcessImageFileNameW (in: hProcess=0x198, lpImageFileName=0xb25c18, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\lsass.exe") returned 0x32 [0038.295] GetProcessTimes (in: hProcess=0x198, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0038.295] OpenProcessToken (in: ProcessHandle=0x198, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0038.295] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0038.296] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0038.296] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0038.296] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0038.319] GetProcessImageFileNameW (in: hProcess=0x19c, lpImageFileName=0xb291e0, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\lsm.exe") returned 0x30 [0038.320] GetProcessTimes (in: hProcess=0x19c, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0038.320] OpenProcessToken (in: ProcessHandle=0x19c, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0038.320] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0038.320] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0038.320] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0038.320] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0038.375] GetProcessImageFileNameW (in: hProcess=0x1a0, lpImageFileName=0xb2b828, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0038.375] GetProcessTimes (in: hProcess=0x1a0, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0038.375] OpenProcessToken (in: ProcessHandle=0x1a0, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0038.375] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0038.375] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0038.375] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0038.375] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0038.397] GetProcessImageFileNameW (in: hProcess=0x1a4, lpImageFileName=0xb41fd8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0038.397] GetProcessTimes (in: hProcess=0x1a4, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0038.397] OpenProcessToken (in: ProcessHandle=0x1a4, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0038.397] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0038.397] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0038.397] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0038.397] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0038.412] GetProcessImageFileNameW (in: hProcess=0x1a8, lpImageFileName=0xb427a0, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0038.412] GetProcessTimes (in: hProcess=0x1a8, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0038.412] OpenProcessToken (in: ProcessHandle=0x1a8, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0038.412] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0038.412] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0038.412] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0038.412] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0038.484] GetProcessImageFileNameW (in: hProcess=0x1ac, lpImageFileName=0xb44fa8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0038.484] GetProcessTimes (in: hProcess=0x1ac, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0038.484] OpenProcessToken (in: ProcessHandle=0x1ac, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0038.484] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0038.484] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0038.484] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0038.484] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0038.566] GetProcessImageFileNameW (in: hProcess=0x1b0, lpImageFileName=0xb44fa8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0038.566] GetProcessTimes (in: hProcess=0x1b0, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0038.566] OpenProcessToken (in: ProcessHandle=0x1b0, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0038.566] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0038.566] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0038.566] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0038.566] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0038.675] GetProcessImageFileNameW (in: hProcess=0x1b4, lpImageFileName=0xb4e5d8, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0038.676] GetProcessTimes (in: hProcess=0x1b4, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0038.676] OpenProcessToken (in: ProcessHandle=0x1b4, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0038.676] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0038.676] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0038.676] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0038.676] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0038.746] GetProcessImageFileNameW (in: hProcess=0x1b8, lpImageFileName=0xb54b30, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0038.746] GetProcessTimes (in: hProcess=0x1b8, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0038.746] OpenProcessToken (in: ProcessHandle=0x1b8, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0038.746] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0038.746] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0038.746] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0038.747] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0038.778] GetProcessImageFileNameW (in: hProcess=0x1bc, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\dwm.exe") returned 0x30 [0038.778] GetProcessTimes (in: hProcess=0x1bc, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0038.778] OpenProcessToken (in: ProcessHandle=0x1bc, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0038.778] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0038.778] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0038.778] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0038.779] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0038.828] GetProcessImageFileNameW (in: hProcess=0x1c0, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\explorer.exe") returned 0x2c [0038.828] GetProcessTimes (in: hProcess=0x1c0, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0038.828] OpenProcessToken (in: ProcessHandle=0x1c0, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0038.828] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0038.828] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0038.829] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0038.829] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.321] GetProcessImageFileNameW (in: hProcess=0x1c4, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\spoolsv.exe") returned 0x34 [0039.321] GetProcessTimes (in: hProcess=0x1c4, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.321] OpenProcessToken (in: ProcessHandle=0x1c4, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.321] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.321] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.321] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0039.322] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0039.335] GetProcessImageFileNameW (in: hProcess=0x1c8, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\taskhost.exe") returned 0x35 [0039.335] GetProcessTimes (in: hProcess=0x1c8, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.335] OpenProcessToken (in: ProcessHandle=0x1c8, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.335] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.335] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.335] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.335] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.354] GetProcessImageFileNameW (in: hProcess=0x1cc, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\svchost.exe") returned 0x34 [0039.354] GetProcessTimes (in: hProcess=0x1cc, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.354] OpenProcessToken (in: ProcessHandle=0x1cc, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.355] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.355] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.355] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0039.355] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0039.436] GetProcessImageFileNameW (in: hProcess=0x1d0, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\taskeng.exe") returned 0x34 [0039.436] GetProcessTimes (in: hProcess=0x1d0, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.436] OpenProcessToken (in: ProcessHandle=0x1d0, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.436] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.436] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.436] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0xadca69 [0039.436] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0xadca70 [0039.447] GetProcessImageFileNameW (in: hProcess=0x1d4, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\taskhost.exe") returned 0x35 [0039.447] GetProcessTimes (in: hProcess=0x1d4, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.447] OpenProcessToken (in: ProcessHandle=0x1d4, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.447] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.447] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.447] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0039.447] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0039.516] GetProcessImageFileNameW (in: hProcess=0x1d8, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Microsoft Sync Framework\\connectionsdecade.exe") returned 0x54 [0039.516] GetProcessTimes (in: hProcess=0x1d8, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.516] OpenProcessToken (in: ProcessHandle=0x1d8, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.516] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.516] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.516] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.516] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.525] GetProcessImageFileNameW (in: hProcess=0x1dc, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Reference Assemblies\\spectrum fs.exe") returned 0x50 [0039.525] GetProcessTimes (in: hProcess=0x1dc, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.525] OpenProcessToken (in: ProcessHandle=0x1dc, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.525] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.525] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.525] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.525] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.533] GetProcessImageFileNameW (in: hProcess=0x1e0, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Common Files\\amounts_under.exe") returned 0x4a [0039.533] GetProcessTimes (in: hProcess=0x1e0, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.534] OpenProcessToken (in: ProcessHandle=0x1e0, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.534] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.534] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.534] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.534] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.543] GetProcessImageFileNameW (in: hProcess=0x1e4, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Java\\emergency_limitation.exe") returned 0x49 [0039.543] GetProcessTimes (in: hProcess=0x1e4, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.543] OpenProcessToken (in: ProcessHandle=0x1e4, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.543] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.543] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.543] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.543] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.604] GetProcessImageFileNameW (in: hProcess=0x1e8, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Windows Mail\\partnerships.exe") returned 0x49 [0039.604] GetProcessTimes (in: hProcess=0x1e8, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.604] OpenProcessToken (in: ProcessHandle=0x1e8, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.604] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.604] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.605] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.605] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.619] GetProcessImageFileNameW (in: hProcess=0x1ec, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\MSBuild\\fit.exe") returned 0x3b [0039.619] GetProcessTimes (in: hProcess=0x1ec, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.619] OpenProcessToken (in: ProcessHandle=0x1ec, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.619] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.619] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.619] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.619] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.640] GetProcessImageFileNameW (in: hProcess=0x1f0, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Windows Mail\\ob reid.exe") returned 0x44 [0039.640] GetProcessTimes (in: hProcess=0x1f0, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.640] OpenProcessToken (in: ProcessHandle=0x1f0, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.640] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.640] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.640] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.640] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.698] GetProcessImageFileNameW (in: hProcess=0x1f4, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Internet Explorer\\antonio_done_cultures.exe") returned 0x51 [0039.698] GetProcessTimes (in: hProcess=0x1f4, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.698] OpenProcessToken (in: ProcessHandle=0x1f4, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.698] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.698] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.698] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.698] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.707] GetProcessImageFileNameW (in: hProcess=0x1f8, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Java\\norfolk_trance_directive.exe") returned 0x4d [0039.707] GetProcessTimes (in: hProcess=0x1f8, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.707] OpenProcessToken (in: ProcessHandle=0x1f8, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.707] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.707] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.707] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.707] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.732] GetProcessImageFileNameW (in: hProcess=0x1fc, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Uninstall Information\\cheese-further-reads.exe") returned 0x54 [0039.732] GetProcessTimes (in: hProcess=0x1fc, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.732] OpenProcessToken (in: ProcessHandle=0x1fc, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.733] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.733] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.733] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.733] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.742] GetProcessImageFileNameW (in: hProcess=0x200, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Microsoft Analysis Services\\walking.exe") returned 0x4d [0039.742] GetProcessTimes (in: hProcess=0x200, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.742] OpenProcessToken (in: ProcessHandle=0x200, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.742] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.742] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.742] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.742] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.795] GetProcessImageFileNameW (in: hProcess=0x204, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Windows Photo Viewer\\happiness.exe") returned 0x48 [0039.796] GetProcessTimes (in: hProcess=0x204, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.796] OpenProcessToken (in: ProcessHandle=0x204, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.796] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.796] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.796] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.796] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.810] GetProcessImageFileNameW (in: hProcess=0x208, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Windows Media Player\\clubs_mobility_dive.exe") returned 0x58 [0039.810] GetProcessTimes (in: hProcess=0x208, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.810] OpenProcessToken (in: ProcessHandle=0x208, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.810] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.811] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.811] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.811] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.820] GetProcessImageFileNameW (in: hProcess=0x20c, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Mozilla Maintenance Service\\completing.exe") returned 0x56 [0039.820] GetProcessTimes (in: hProcess=0x20c, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.820] OpenProcessToken (in: ProcessHandle=0x20c, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.820] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.820] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.820] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.820] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.883] GetProcessImageFileNameW (in: hProcess=0x210, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Windows Journal\\polished expressed.exe") returned 0x4c [0039.883] GetProcessTimes (in: hProcess=0x210, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.883] OpenProcessToken (in: ProcessHandle=0x210, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.883] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.883] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.883] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.883] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.892] GetProcessImageFileNameW (in: hProcess=0x214, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Reference Assemblies\\need result.exe") returned 0x4a [0039.892] GetProcessTimes (in: hProcess=0x214, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.892] OpenProcessToken (in: ProcessHandle=0x214, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.892] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.892] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.892] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.892] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.901] GetProcessImageFileNameW (in: hProcess=0x218, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Microsoft Sync Framework\\spring.exe") returned 0x49 [0039.902] GetProcessTimes (in: hProcess=0x218, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.902] OpenProcessToken (in: ProcessHandle=0x218, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.902] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.902] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.902] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.902] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.916] GetProcessImageFileNameW (in: hProcess=0x21c, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\MSBuild\\marvel.exe") returned 0x3e [0039.916] GetProcessTimes (in: hProcess=0x21c, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.916] OpenProcessToken (in: ProcessHandle=0x21c, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.916] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.916] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.916] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.916] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.925] GetProcessImageFileNameW (in: hProcess=0x220, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Windows Media Player\\clicks plc.exe") returned 0x49 [0039.925] GetProcessTimes (in: hProcess=0x220, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.925] OpenProcessToken (in: ProcessHandle=0x220, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.925] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.925] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.925] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.925] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.981] GetProcessImageFileNameW (in: hProcess=0x224, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\DVD Maker\\inter-angle.exe") returned 0x3f [0039.981] GetProcessTimes (in: hProcess=0x224, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.981] OpenProcessToken (in: ProcessHandle=0x224, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.981] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.981] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.981] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.981] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0039.990] GetProcessImageFileNameW (in: hProcess=0x228, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Windows Portable Devices\\admit cellular.exe") returned 0x51 [0039.990] GetProcessTimes (in: hProcess=0x228, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0039.990] OpenProcessToken (in: ProcessHandle=0x228, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0039.990] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0039.990] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0039.990] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0039.990] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0040.000] GetProcessImageFileNameW (in: hProcess=0x22c, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files (x86)\\Microsoft Analysis Services\\contractor.exe") returned 0x56 [0040.000] GetProcessTimes (in: hProcess=0x22c, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0040.000] OpenProcessToken (in: ProcessHandle=0x22c, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0040.000] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0040.000] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0040.000] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0040.000] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0040.009] GetProcessImageFileNameW (in: hProcess=0x230, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Program Files\\Microsoft Office\\theta.exe") returned 0x40 [0040.009] GetProcessTimes (in: hProcess=0x230, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0040.009] OpenProcessToken (in: ProcessHandle=0x230, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0040.009] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0040.009] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0040.009] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xadca69 [0040.009] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xadca70 [0040.018] GetProcessImageFileNameW (in: hProcess=0x234, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\vssadmin.exe") returned 0x35 [0040.018] GetProcessTimes (in: hProcess=0x234, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0040.018] OpenProcessToken (in: ProcessHandle=0x234, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0040.018] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0040.018] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0040.018] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0xadca69 [0040.018] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0xadca70 [0040.076] GetProcessImageFileNameW (in: hProcess=0x238, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\conhost.exe") returned 0x34 [0040.076] GetProcessTimes (in: hProcess=0x238, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0040.076] OpenProcessToken (in: ProcessHandle=0x238, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0040.076] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0040.076] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0040.076] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0xadca69 [0040.076] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0xadca70 [0040.082] GetProcessImageFileNameW (in: hProcess=0x23c, lpImageFileName=0xb49140, nSize=0x200 | out: lpImageFileName="\\Device\\HarddiskVolume1\\Windows\\System32\\VSSVC.exe") returned 0x32 [0040.082] GetProcessTimes (in: hProcess=0x23c, lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584 | out: lpCreationTime=0x151f58c, lpExitTime=0x151f584, lpKernelTime=0x151f584, lpUserTime=0x151f584) returned 1 [0040.082] OpenProcessToken (in: ProcessHandle=0x23c, DesiredAccess=0x8, TokenHandle=0x151f554 | out: TokenHandle=0x151f554*=0x240) returned 1 [0040.082] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x151f550 | out: TokenInformation=0x0, ReturnLength=0x151f550) returned 0 [0040.082] GetTokenInformation (in: TokenHandle=0x240, TokenInformationClass=0x19, TokenInformation=0xadca60, TokenInformationLength=0x14, ReturnLength=0x151f550 | out: TokenInformation=0xadca60, ReturnLength=0x151f550) returned 1 [0040.082] GetSidSubAuthorityCount (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000)) returned 0xadca69 [0040.082] GetSidSubAuthority (pSid=0xadca68*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x4000), nSubAuthority=0x0) returned 0xadca70 [0040.097] QueryDosDeviceW (in: lpDeviceName="C:", lpTargetPath=0xb49140, ucchMax=0x200 | out: lpTargetPath="\\Device\\HarddiskVolume1") returned 0x19 [0040.133] FindFirstFileExW (in: lpFileName="C:\\Boot\\*", fInfoLevelId=0x1, lpFindFileData=0x151f784, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f784) returned 0x2906d0 [0040.133] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.133] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.133] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.133] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.133] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.133] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.133] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.133] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.133] CreateFileW (lpFileName="C:\\Boot\\cs-CZ" (normalized: "c:\\boot\\cs-cz"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0040.133] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.133] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.133] FindFirstFileExW (in: lpFileName="C:\\Boot\\cs-CZ\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.134] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.134] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.134] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.134] GetLastError () returned 0x12 [0040.135] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.135] GetLastError () returned 0x5 [0040.135] FindFirstFileExW (in: lpFileName="C:\\Boot\\cs-CZ\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.135] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.135] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.135] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.135] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.135] GetLastError () returned 0x12 [0040.135] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.135] CreateFileW (lpFileName="C:\\Boot\\da-DK" (normalized: "c:\\boot\\da-dk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x244 [0040.136] SetFileTime (hFile=0x244, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.136] DeviceIoControl (in: hDevice=0x244, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.136] FindFirstFileExW (in: lpFileName="C:\\Boot\\da-DK\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.136] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.137] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.137] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.137] GetLastError () returned 0x12 [0040.194] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.194] GetLastError () returned 0x5 [0040.194] FindFirstFileExW (in: lpFileName="C:\\Boot\\da-DK\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.194] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.194] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.194] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.194] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.194] GetLastError () returned 0x12 [0040.194] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.195] CreateFileW (lpFileName="C:\\Boot\\de-DE" (normalized: "c:\\boot\\de-de"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0040.195] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.195] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.195] FindFirstFileExW (in: lpFileName="C:\\Boot\\de-DE\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.195] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.196] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.196] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.196] GetLastError () returned 0x12 [0040.196] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.196] GetLastError () returned 0x5 [0040.196] FindFirstFileExW (in: lpFileName="C:\\Boot\\de-DE\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.196] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.196] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.196] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.196] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.196] GetLastError () returned 0x12 [0040.196] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.197] CreateFileW (lpFileName="C:\\Boot\\el-GR" (normalized: "c:\\boot\\el-gr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x244 [0040.197] SetFileTime (hFile=0x244, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.197] DeviceIoControl (in: hDevice=0x244, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.197] FindFirstFileExW (in: lpFileName="C:\\Boot\\el-GR\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.197] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.198] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.198] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.198] GetLastError () returned 0x12 [0040.256] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.256] GetLastError () returned 0x5 [0040.256] FindFirstFileExW (in: lpFileName="C:\\Boot\\el-GR\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.256] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.256] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.256] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.256] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.256] GetLastError () returned 0x12 [0040.256] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.257] CreateFileW (lpFileName="C:\\Boot\\en-US" (normalized: "c:\\boot\\en-us"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0040.257] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.257] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.257] FindFirstFileExW (in: lpFileName="C:\\Boot\\en-US\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.257] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.258] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.258] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.258] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.258] GetLastError () returned 0x12 [0040.258] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.258] GetLastError () returned 0x5 [0040.259] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.259] GetLastError () returned 0x5 [0040.259] FindFirstFileExW (in: lpFileName="C:\\Boot\\en-US\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.259] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.259] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.259] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.259] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.259] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.259] GetLastError () returned 0x12 [0040.259] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.405] CreateFileW (lpFileName="C:\\Boot\\es-ES" (normalized: "c:\\boot\\es-es"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x244 [0040.405] SetFileTime (hFile=0x244, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.406] DeviceIoControl (in: hDevice=0x244, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.406] FindFirstFileExW (in: lpFileName="C:\\Boot\\es-ES\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.406] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.407] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.407] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.407] GetLastError () returned 0x12 [0040.407] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.407] GetLastError () returned 0x5 [0040.407] FindFirstFileExW (in: lpFileName="C:\\Boot\\es-ES\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.407] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.407] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.407] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.407] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.407] GetLastError () returned 0x12 [0040.407] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.408] CreateFileW (lpFileName="C:\\Boot\\fi-FI" (normalized: "c:\\boot\\fi-fi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0040.408] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.409] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.409] FindFirstFileExW (in: lpFileName="C:\\Boot\\fi-FI\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.409] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.410] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.410] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.410] GetLastError () returned 0x12 [0040.410] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.410] GetLastError () returned 0x5 [0040.410] FindFirstFileExW (in: lpFileName="C:\\Boot\\fi-FI\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.410] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.410] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.410] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.410] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.410] GetLastError () returned 0x12 [0040.411] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.411] CreateFileW (lpFileName="C:\\Boot\\Fonts" (normalized: "c:\\boot\\fonts"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x244 [0040.412] SetFileTime (hFile=0x244, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.412] DeviceIoControl (in: hDevice=0x244, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.412] FindFirstFileExW (in: lpFileName="C:\\Boot\\Fonts\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.412] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.431] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.431] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.431] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.431] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.431] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.431] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.431] GetLastError () returned 0x12 [0040.431] CreateFileW (lpFileName="C:\\Boot\\Fonts\\chs_boot.ttf" (normalized: "c:\\boot\\fonts\\chs_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.432] GetLastError () returned 0x5 [0040.474] CreateFileW (lpFileName="C:\\Boot\\Fonts\\cht_boot.ttf" (normalized: "c:\\boot\\fonts\\cht_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.474] GetLastError () returned 0x5 [0040.474] CreateFileW (lpFileName="C:\\Boot\\Fonts\\jpn_boot.ttf" (normalized: "c:\\boot\\fonts\\jpn_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.475] GetLastError () returned 0x5 [0040.475] CreateFileW (lpFileName="C:\\Boot\\Fonts\\kor_boot.ttf" (normalized: "c:\\boot\\fonts\\kor_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.475] GetLastError () returned 0x5 [0040.475] CreateFileW (lpFileName="C:\\Boot\\Fonts\\wgl4_boot.ttf" (normalized: "c:\\boot\\fonts\\wgl4_boot.ttf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.475] GetLastError () returned 0x5 [0040.475] FindFirstFileExW (in: lpFileName="C:\\Boot\\Fonts\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.475] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.475] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.476] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.476] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.476] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.476] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.476] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.476] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.476] GetLastError () returned 0x12 [0040.476] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.523] CreateFileW (lpFileName="C:\\Boot\\fr-FR" (normalized: "c:\\boot\\fr-fr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0040.523] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.523] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.523] FindFirstFileExW (in: lpFileName="C:\\Boot\\fr-FR\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.523] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.524] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.524] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.524] GetLastError () returned 0x12 [0040.524] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.524] GetLastError () returned 0x5 [0040.524] FindFirstFileExW (in: lpFileName="C:\\Boot\\fr-FR\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.524] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.525] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.525] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.525] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.525] GetLastError () returned 0x12 [0040.525] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.525] CreateFileW (lpFileName="C:\\Boot\\hu-HU" (normalized: "c:\\boot\\hu-hu"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x244 [0040.526] SetFileTime (hFile=0x244, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.526] DeviceIoControl (in: hDevice=0x244, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.526] FindFirstFileExW (in: lpFileName="C:\\Boot\\hu-HU\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.526] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.526] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.527] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.527] GetLastError () returned 0x12 [0040.527] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.527] GetLastError () returned 0x5 [0040.527] FindFirstFileExW (in: lpFileName="C:\\Boot\\hu-HU\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.527] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.527] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.527] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.527] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.527] GetLastError () returned 0x12 [0040.527] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.687] CreateFileW (lpFileName="C:\\Boot\\it-IT" (normalized: "c:\\boot\\it-it"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0040.688] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.688] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.688] FindFirstFileExW (in: lpFileName="C:\\Boot\\it-IT\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.688] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.689] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.689] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.689] GetLastError () returned 0x12 [0040.689] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.689] GetLastError () returned 0x5 [0040.689] FindFirstFileExW (in: lpFileName="C:\\Boot\\it-IT\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.689] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.689] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.689] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.689] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.689] GetLastError () returned 0x12 [0040.689] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.690] CreateFileW (lpFileName="C:\\Boot\\ja-JP" (normalized: "c:\\boot\\ja-jp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x244 [0040.690] SetFileTime (hFile=0x244, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.690] DeviceIoControl (in: hDevice=0x244, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.690] FindFirstFileExW (in: lpFileName="C:\\Boot\\ja-JP\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.690] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.691] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.691] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.691] GetLastError () returned 0x12 [0040.691] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.691] GetLastError () returned 0x5 [0040.691] FindFirstFileExW (in: lpFileName="C:\\Boot\\ja-JP\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.691] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.691] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.691] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.691] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.692] GetLastError () returned 0x12 [0040.692] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.735] CreateFileW (lpFileName="C:\\Boot\\ko-KR" (normalized: "c:\\boot\\ko-kr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0040.735] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.735] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.735] FindFirstFileExW (in: lpFileName="C:\\Boot\\ko-KR\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.735] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.736] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.736] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.736] GetLastError () returned 0x12 [0040.736] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.736] GetLastError () returned 0x5 [0040.736] FindFirstFileExW (in: lpFileName="C:\\Boot\\ko-KR\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.736] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.736] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.736] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.736] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.737] GetLastError () returned 0x12 [0040.737] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.737] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.772] CreateFileW (lpFileName="C:\\Boot\\nb-NO" (normalized: "c:\\boot\\nb-no"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x244 [0040.772] SetFileTime (hFile=0x244, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.772] DeviceIoControl (in: hDevice=0x244, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.772] FindFirstFileExW (in: lpFileName="C:\\Boot\\nb-NO\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.772] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.773] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.773] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.773] GetLastError () returned 0x12 [0040.819] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.819] GetLastError () returned 0x5 [0040.819] FindFirstFileExW (in: lpFileName="C:\\Boot\\nb-NO\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.819] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.819] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.819] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.819] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.819] GetLastError () returned 0x12 [0040.820] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.820] CreateFileW (lpFileName="C:\\Boot\\nl-NL" (normalized: "c:\\boot\\nl-nl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0040.820] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.820] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.820] FindFirstFileExW (in: lpFileName="C:\\Boot\\nl-NL\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.820] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.821] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.821] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.821] GetLastError () returned 0x12 [0040.821] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.821] GetLastError () returned 0x5 [0040.821] FindFirstFileExW (in: lpFileName="C:\\Boot\\nl-NL\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.822] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.822] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.822] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.822] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.822] GetLastError () returned 0x12 [0040.822] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.822] CreateFileW (lpFileName="C:\\Boot\\pl-PL" (normalized: "c:\\boot\\pl-pl"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x244 [0040.822] SetFileTime (hFile=0x244, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.822] DeviceIoControl (in: hDevice=0x244, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.823] FindFirstFileExW (in: lpFileName="C:\\Boot\\pl-PL\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.823] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.823] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.823] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.823] GetLastError () returned 0x12 [0040.865] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.865] GetLastError () returned 0x5 [0040.865] FindFirstFileExW (in: lpFileName="C:\\Boot\\pl-PL\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.865] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.865] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.865] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.865] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.865] GetLastError () returned 0x12 [0040.865] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.865] CreateFileW (lpFileName="C:\\Boot\\pt-BR" (normalized: "c:\\boot\\pt-br"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0040.866] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.866] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.866] FindFirstFileExW (in: lpFileName="C:\\Boot\\pt-BR\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.866] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.867] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.867] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.867] GetLastError () returned 0x12 [0040.867] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.867] GetLastError () returned 0x5 [0040.867] FindFirstFileExW (in: lpFileName="C:\\Boot\\pt-BR\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.867] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.867] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.867] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.867] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.867] GetLastError () returned 0x12 [0040.867] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.868] CreateFileW (lpFileName="C:\\Boot\\pt-PT" (normalized: "c:\\boot\\pt-pt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x244 [0040.868] SetFileTime (hFile=0x244, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.868] DeviceIoControl (in: hDevice=0x244, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.869] FindFirstFileExW (in: lpFileName="C:\\Boot\\pt-PT\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.869] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.869] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.869] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.869] GetLastError () returned 0x12 [0040.911] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.911] GetLastError () returned 0x5 [0040.911] FindFirstFileExW (in: lpFileName="C:\\Boot\\pt-PT\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.911] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.912] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.912] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.912] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.912] GetLastError () returned 0x12 [0040.912] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.912] CreateFileW (lpFileName="C:\\Boot\\ru-RU" (normalized: "c:\\boot\\ru-ru"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0040.912] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.912] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.912] FindFirstFileExW (in: lpFileName="C:\\Boot\\ru-RU\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.913] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.913] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.913] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.913] GetLastError () returned 0x12 [0040.913] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.914] GetLastError () returned 0x5 [0040.914] FindFirstFileExW (in: lpFileName="C:\\Boot\\ru-RU\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.914] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.914] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.914] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.914] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.914] GetLastError () returned 0x12 [0040.914] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.915] CreateFileW (lpFileName="C:\\Boot\\sv-SE" (normalized: "c:\\boot\\sv-se"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x244 [0040.915] SetFileTime (hFile=0x244, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.915] DeviceIoControl (in: hDevice=0x244, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.915] FindFirstFileExW (in: lpFileName="C:\\Boot\\sv-SE\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.915] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.916] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.916] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.916] GetLastError () returned 0x12 [0040.958] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.958] GetLastError () returned 0x5 [0040.958] FindFirstFileExW (in: lpFileName="C:\\Boot\\sv-SE\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.958] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.958] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.958] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.958] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.958] GetLastError () returned 0x12 [0040.958] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.959] CreateFileW (lpFileName="C:\\Boot\\tr-TR" (normalized: "c:\\boot\\tr-tr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0040.959] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.959] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.959] FindFirstFileExW (in: lpFileName="C:\\Boot\\tr-TR\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.959] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.960] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.960] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.960] GetLastError () returned 0x12 [0040.960] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0040.960] GetLastError () returned 0x5 [0040.960] FindFirstFileExW (in: lpFileName="C:\\Boot\\tr-TR\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0040.960] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0040.960] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.961] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.961] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.961] GetLastError () returned 0x12 [0040.961] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0040.961] CreateFileW (lpFileName="C:\\Boot\\zh-CN" (normalized: "c:\\boot\\zh-cn"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x244 [0040.961] SetFileTime (hFile=0x244, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0040.961] DeviceIoControl (in: hDevice=0x244, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0040.961] FindFirstFileExW (in: lpFileName="C:\\Boot\\zh-CN\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0040.961] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.962] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0040.962] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0040.962] GetLastError () returned 0x12 [0041.004] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0041.005] GetLastError () returned 0x5 [0041.005] FindFirstFileExW (in: lpFileName="C:\\Boot\\zh-CN\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0041.005] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0041.005] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.005] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.005] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0041.005] GetLastError () returned 0x12 [0041.005] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0041.005] CreateFileW (lpFileName="C:\\Boot\\zh-HK" (normalized: "c:\\boot\\zh-hk"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0041.006] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0041.006] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0041.006] FindFirstFileExW (in: lpFileName="C:\\Boot\\zh-HK\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0041.006] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.007] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.007] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0041.007] GetLastError () returned 0x12 [0041.007] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0041.007] GetLastError () returned 0x5 [0041.007] FindFirstFileExW (in: lpFileName="C:\\Boot\\zh-HK\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0041.007] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0041.007] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.007] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.007] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0041.007] GetLastError () returned 0x12 [0041.007] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0041.008] CreateFileW (lpFileName="C:\\Boot\\zh-TW" (normalized: "c:\\boot\\zh-tw"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x244 [0041.008] SetFileTime (hFile=0x244, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0041.008] DeviceIoControl (in: hDevice=0x244, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0041.008] FindFirstFileExW (in: lpFileName="C:\\Boot\\zh-TW\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0041.008] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.009] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.009] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0041.009] GetLastError () returned 0x12 [0041.009] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0041.009] GetLastError () returned 0x5 [0041.009] FindFirstFileExW (in: lpFileName="C:\\Boot\\zh-TW\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0041.009] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0041.009] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.009] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.009] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0041.009] GetLastError () returned 0x12 [0041.009] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 0 [0041.009] GetLastError () returned 0x12 [0041.010] FindNextFileW (in: hFindFile=0x290480, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0041.010] FindNextFileW (in: hFindFile=0x290480, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0041.010] FindNextFileW (in: hFindFile=0x290480, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0041.011] CreateFileW (lpFileName="C:\\Config.Msi" (normalized: "c:\\config.msi"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x240 [0041.011] SetFileTime (hFile=0x240, lpCreationTime=0x0, lpLastAccessTime=0x151f9bc, lpLastWriteTime=0x151f9bc) returned 0 [0041.011] DeviceIoControl (in: hDevice=0x240, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151fa14, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151fa14, lpOverlapped=0x0) returned 0 [0041.011] FindFirstFileExW (in: lpFileName="C:\\Config.Msi\\*", fInfoLevelId=0x1, lpFindFileData=0x151f784, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f784) returned 0x28f398 [0041.011] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0041.012] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 0 [0041.012] GetLastError () returned 0x12 [0041.012] FindFirstFileExW (in: lpFileName="C:\\Config.Msi\\*", fInfoLevelId=0x1, lpFindFileData=0x151f784, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f784) returned 0x2906d0 [0041.012] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0041.012] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0041.012] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 0 [0041.012] GetLastError () returned 0x12 [0041.012] FindNextFileW (in: hFindFile=0x290480, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0041.012] CreateFileW (lpFileName="C:\\Documents and Settings" (normalized: "c:\\documents and settings"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0xffffffff [0041.013] GetLastError () returned 0x5 [0041.013] FindFirstFileExW (in: lpFileName="C:\\Documents and Settings\\*", fInfoLevelId=0x1, lpFindFileData=0x151f784, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f784) returned 0xffffffff [0041.013] GetLastError () returned 0x5 [0041.013] FindFirstFileExW (in: lpFileName="C:\\Documents and Settings\\*", fInfoLevelId=0x1, lpFindFileData=0x151f784, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f784) returned 0xffffffff [0041.013] GetLastError () returned 0x5 [0041.013] FindNextFileW (in: hFindFile=0x290480, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0041.013] FindNextFileW (in: hFindFile=0x290480, lpFindFileData=0x151fa44 | out: lpFindFileData=0x151fa44) returned 1 [0041.013] CreateFileW (lpFileName="C:\\MSOCache" (normalized: "c:\\msocache"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0041.013] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f9bc, lpLastWriteTime=0x151f9bc) returned 0 [0041.013] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151fa14, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151fa14, lpOverlapped=0x0) returned 0 [0041.013] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\*", fInfoLevelId=0x1, lpFindFileData=0x151f784, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f784) returned 0x28f398 [0041.013] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0041.014] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0041.014] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 0 [0041.014] GetLastError () returned 0x12 [0041.014] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\*", fInfoLevelId=0x1, lpFindFileData=0x151f784, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f784) returned 0x2906d0 [0041.014] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0041.014] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0041.014] FindNextFileW (in: hFindFile=0x2906d0, lpFindFileData=0x151f784 | out: lpFindFileData=0x151f784) returned 1 [0041.114] CreateFileW (lpFileName="C:\\MSOCache\\All Users" (normalized: "c:\\msocache\\all users"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0041.114] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f6fc, lpLastWriteTime=0x151f6fc) returned 0 [0041.114] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f754, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f754, lpOverlapped=0x0) returned 0 [0041.114] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x28f398 [0041.485] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.513] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.514] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.515] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.515] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.515] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.516] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.518] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.518] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.520] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.521] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.521] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.521] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.521] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.522] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.552] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.552] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.552] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.552] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 0 [0041.552] GetLastError () returned 0x12 [0041.552] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\*", fInfoLevelId=0x1, lpFindFileData=0x151f4c4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f4c4) returned 0x290710 [0041.552] FindClose (in: hFindFile=0x28f398 | out: hFindFile=0x28f398) returned 1 [0041.552] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.552] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0041.660] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0041.660] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f43c, lpLastWriteTime=0x151f43c) returned 0 [0041.660] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f494, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f494, lpOverlapped=0x0) returned 0 [0041.660] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x290750 [0041.660] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0041.661] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0041.661] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0041.661] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0041.661] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0041.661] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0041.661] GetLastError () returned 0x12 [0041.965] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0041.965] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0041.965] GetFileTime (in: hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xed035930, dwHighDateTime=0x1d301be)) returned 1 [0041.966] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0041.966] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0041.967] ReadFile (in: hFile=0x248, lpBuffer=0x18e0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0044.860] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0046.759] ReadFile (in: hFile=0x248, lpBuffer=0x22f0020, nNumberOfBytesToRead=0x62fcbb, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0x62fcbb, lpOverlapped=0x0) returned 1 [0047.754] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2920020*, pdwDataLen=0x151f0d0*=0x62fcbb, dwBufLen=0x62fcc3 | out: pbData=0x2920020*, pdwDataLen=0x151f0d0*=0x62fcbb) returned 1 [0049.198] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0049.198] NtClose (Handle=0x248) returned 0x0 [0049.198] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.locked" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.locked")) returned 1 [0049.209] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.locked", dwFileAttributes=0x2020) returned 1 [0049.209] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.readme_txt", dwFileAttributes=0x80) returned 0 [0049.209] GetLastError () returned 0x2 [0049.209] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0049.209] GetLastError () returned 0x2 [0049.209] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excellr.cab.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0049.210] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0049.210] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0049.211] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0049.211] NtClose (Handle=0x248) returned 0x0 [0049.212] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelLR.cab.readme_txt", dwFileAttributes=0x2020) returned 1 [0049.257] CryptDestroyKey (hKey=0x28f398) returned 1 [0049.257] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0049.258] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0049.258] GetFileTime (in: hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xece1ee80, dwHighDateTime=0x1d301be)) returned 1 [0049.258] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0049.258] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0049.258] ReadFile (in: hFile=0x248, lpBuffer=0x18e0020, nNumberOfBytesToRead=0x263e00, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0x263e00, lpOverlapped=0x0) returned 1 [0049.794] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1dc0020*, pdwDataLen=0x151f0d0*=0x263e00, dwBufLen=0x263e08 | out: pbData=0x1dc0020*, pdwDataLen=0x151f0d0*=0x263e00) returned 1 [0049.927] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0049.928] NtClose (Handle=0x248) returned 0x0 [0049.928] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.locked")) returned 1 [0049.928] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.locked", dwFileAttributes=0x2020) returned 1 [0049.928] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0049.928] GetLastError () returned 0x2 [0049.928] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0049.928] GetLastError () returned 0x2 [0049.928] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0049.929] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0049.929] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0049.929] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0049.929] NtClose (Handle=0x248) returned 0x0 [0049.930] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0050.151] CryptDestroyKey (hKey=0x28f398) returned 1 [0050.151] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0050.151] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0050.151] GetFileTime (in: hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xecdfa490, dwHighDateTime=0x1d301be)) returned 1 [0050.151] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0050.151] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0050.151] ReadFile (in: hFile=0x248, lpBuffer=0xb3e220, nNumberOfBytesToRead=0x61d, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb3e220*, lpNumberOfBytesRead=0x151f0e0*=0x61d, lpOverlapped=0x0) returned 1 [0050.159] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x61d, dwBufLen=0x625 | out: pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x61d) returned 1 [0050.171] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0050.171] NtClose (Handle=0x248) returned 0x0 [0050.171] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.locked")) returned 1 [0050.171] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.locked", dwFileAttributes=0x2020) returned 1 [0050.172] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0050.172] GetLastError () returned 0x2 [0050.172] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0050.172] GetLastError () returned 0x2 [0050.172] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\excelmui.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0050.172] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0050.172] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0050.173] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0050.173] NtClose (Handle=0x248) returned 0x0 [0050.173] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\ExcelMUI.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0050.173] CryptDestroyKey (hKey=0x28f398) returned 1 [0050.174] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0050.174] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0050.174] GetFileTime (in: hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xee38cbf0, dwHighDateTime=0x1d301be)) returned 1 [0050.174] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0050.174] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0050.174] ReadFile (in: hFile=0x248, lpBuffer=0xb86c38, nNumberOfBytesToRead=0x8f8, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb86c38*, lpNumberOfBytesRead=0x151f0e0*=0x8f8, lpOverlapped=0x0) returned 1 [0050.198] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb58738*, pdwDataLen=0x151f0d0*=0x8f8, dwBufLen=0x900 | out: pbData=0xb58738*, pdwDataLen=0x151f0d0*=0x8f8) returned 1 [0050.208] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0050.208] NtClose (Handle=0x248) returned 0x0 [0050.208] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.locked")) returned 1 [0050.209] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.locked", dwFileAttributes=0x2020) returned 1 [0050.209] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0050.209] GetLastError () returned 0x2 [0050.209] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0050.209] GetLastError () returned 0x2 [0050.209] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0016-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0050.209] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0050.209] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0050.210] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0050.210] NtClose (Handle=0x248) returned 0x0 [0050.210] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0050.211] CryptDestroyKey (hKey=0x28f398) returned 1 [0050.211] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0016-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x28f398 [0050.211] FindClose (in: hFindFile=0x290750 | out: hFindFile=0x290750) returned 1 [0050.211] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0050.211] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0050.211] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0050.211] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0050.211] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0050.211] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0050.211] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0050.211] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0050.211] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0050.211] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0050.211] GetLastError () returned 0x12 [0050.211] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0050.212] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x248 [0050.212] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f43c, lpLastWriteTime=0x151f43c) returned 0 [0050.212] DeviceIoControl (in: hDevice=0x248, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f494, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f494, lpOverlapped=0x0) returned 0 [0050.212] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x290750 [0050.233] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0050.233] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0050.233] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0050.233] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0050.233] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0050.233] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0050.233] GetLastError () returned 0x12 [0050.234] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0050.234] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0050.234] GetFileTime (in: hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xe874f770, dwHighDateTime=0x1d301be)) returned 1 [0050.234] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0050.234] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0050.234] ReadFile (in: hFile=0x180, lpBuffer=0x18e0020, nNumberOfBytesToRead=0x263400, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0x263400, lpOverlapped=0x0) returned 1 [0050.815] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1dc0020*, pdwDataLen=0x151f0d0*=0x263400, dwBufLen=0x263408 | out: pbData=0x1dc0020*, pdwDataLen=0x151f0d0*=0x263400) returned 1 [0051.677] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0051.677] NtClose (Handle=0x180) returned 0x0 [0051.677] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.locked")) returned 1 [0051.698] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.locked", dwFileAttributes=0x2020) returned 1 [0051.698] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0051.698] GetLastError () returned 0x2 [0051.698] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0051.698] GetLastError () returned 0x2 [0051.698] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0051.698] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0051.698] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0051.699] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0051.699] NtClose (Handle=0x180) returned 0x0 [0051.700] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0051.711] CryptDestroyKey (hKey=0x28f398) returned 1 [0051.712] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0051.713] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0051.713] GetFileTime (in: hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xe8728670, dwHighDateTime=0x1d301be)) returned 1 [0051.713] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0051.713] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0051.713] ReadFile (in: hFile=0x180, lpBuffer=0xb3e220, nNumberOfBytesToRead=0x5aa, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb3e220*, lpNumberOfBytesRead=0x151f0e0*=0x5aa, lpOverlapped=0x0) returned 1 [0051.730] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x5aa, dwBufLen=0x5b2 | out: pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x5aa) returned 1 [0052.033] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0052.033] NtClose (Handle=0x180) returned 0x0 [0052.033] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.locked")) returned 1 [0052.033] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.locked", dwFileAttributes=0x2020) returned 1 [0052.034] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0052.034] GetLastError () returned 0x2 [0052.034] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0052.034] GetLastError () returned 0x2 [0052.034] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\powerpointmui.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0052.034] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0052.034] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0052.035] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0052.035] NtClose (Handle=0x180) returned 0x0 [0052.035] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PowerPointMUI.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0052.035] CryptDestroyKey (hKey=0x28f398) returned 1 [0052.039] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0052.039] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0052.039] GetFileTime (in: hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xe8b079d0, dwHighDateTime=0x1d301be)) returned 1 [0052.039] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0052.039] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0052.039] ReadFile (in: hFile=0x180, lpBuffer=0x18e0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0053.784] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0054.780] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0055.398] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0055.664] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0056.841] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0057.727] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0058.959] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0060.038] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0061.363] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0061.987] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0062.724] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0063.686] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0x71a290, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0x71a290, lpOverlapped=0x0) returned 1 [0063.964] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22f0020*, pdwDataLen=0x151f0d0*=0x71a290, dwBufLen=0x71a298 | out: pbData=0x22f0020*, pdwDataLen=0x151f0d0*=0x71a290) returned 1 [0064.146] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0064.146] NtClose (Handle=0x180) returned 0x0 [0064.146] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.locked" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.locked")) returned 1 [0064.147] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.locked", dwFileAttributes=0x2020) returned 1 [0064.147] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.readme_txt", dwFileAttributes=0x80) returned 0 [0064.147] GetLastError () returned 0x2 [0064.147] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0064.147] GetLastError () returned 0x2 [0064.147] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\pptlr.cab.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0064.147] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0064.147] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0064.148] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0064.148] NtClose (Handle=0x180) returned 0x0 [0064.148] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\PptLR.cab.readme_txt", dwFileAttributes=0x2020) returned 1 [0064.182] CryptDestroyKey (hKey=0x28f398) returned 1 [0064.182] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0064.182] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0064.182] GetFileTime (in: hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xecdfa490, dwHighDateTime=0x1d301be)) returned 1 [0064.182] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0064.182] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0064.182] ReadFile (in: hFile=0x180, lpBuffer=0xb2b9e0, nNumberOfBytesToRead=0x75e, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb2b9e0*, lpNumberOfBytesRead=0x151f0e0*=0x75e, lpOverlapped=0x0) returned 1 [0064.184] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb427d8*, pdwDataLen=0x151f0d0*=0x75e, dwBufLen=0x766 | out: pbData=0xb427d8*, pdwDataLen=0x151f0d0*=0x75e) returned 1 [0064.186] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0064.186] NtClose (Handle=0x180) returned 0x0 [0064.186] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.locked")) returned 1 [0064.186] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.locked", dwFileAttributes=0x2020) returned 1 [0064.187] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0064.187] GetLastError () returned 0x2 [0064.187] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0064.187] GetLastError () returned 0x2 [0064.187] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0018-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0064.187] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0064.187] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0064.188] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0064.188] NtClose (Handle=0x180) returned 0x0 [0064.188] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0064.188] CryptDestroyKey (hKey=0x28f398) returned 1 [0064.189] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0018-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x28f398 [0064.189] FindClose (in: hFindFile=0x290750 | out: hFindFile=0x290750) returned 1 [0064.189] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0064.189] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0064.189] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0064.189] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0064.189] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0064.189] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0064.189] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0064.189] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0064.189] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0064.189] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0064.189] GetLastError () returned 0x12 [0064.189] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0064.190] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0064.190] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f43c, lpLastWriteTime=0x151f43c) returned 0 [0064.190] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f494, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f494, lpOverlapped=0x0) returned 0 [0064.190] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x290750 [0064.200] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0064.201] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0064.201] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0064.201] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0064.201] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0064.201] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0064.201] GetLastError () returned 0x12 [0064.201] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0064.202] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0064.202] GetFileTime (in: hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xfc40b730, dwHighDateTime=0x1d301be)) returned 1 [0064.202] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0064.202] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0064.202] ReadFile (in: hFile=0x248, lpBuffer=0x18e0020, nNumberOfBytesToRead=0x265c00, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0x265c00, lpOverlapped=0x0) returned 1 [0064.361] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1dc0020*, pdwDataLen=0x151f0d0*=0x265c00, dwBufLen=0x265c08 | out: pbData=0x1dc0020*, pdwDataLen=0x151f0d0*=0x265c00) returned 1 [0064.407] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0064.407] NtClose (Handle=0x248) returned 0x0 [0064.407] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.locked")) returned 1 [0064.409] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.locked", dwFileAttributes=0x2020) returned 1 [0064.410] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0064.410] GetLastError () returned 0x2 [0064.410] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0064.410] GetLastError () returned 0x2 [0064.410] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0064.410] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0064.410] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0064.411] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0064.411] NtClose (Handle=0x248) returned 0x0 [0064.411] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0064.420] CryptDestroyKey (hKey=0x28f398) returned 1 [0064.420] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0064.420] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0064.420] GetFileTime (in: hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xfc3e4630, dwHighDateTime=0x1d301be)) returned 1 [0064.420] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0064.420] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0064.420] ReadFile (in: hFile=0x248, lpBuffer=0xb3e220, nNumberOfBytesToRead=0x5aa, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb3e220*, lpNumberOfBytesRead=0x151f0e0*=0x5aa, lpOverlapped=0x0) returned 1 [0064.422] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x5aa, dwBufLen=0x5b2 | out: pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x5aa) returned 1 [0064.425] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0064.425] NtClose (Handle=0x248) returned 0x0 [0064.425] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.locked")) returned 1 [0064.426] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.locked", dwFileAttributes=0x2020) returned 1 [0064.426] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0064.426] GetLastError () returned 0x2 [0064.426] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0064.426] GetLastError () returned 0x2 [0064.426] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publishermui.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0064.426] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0064.426] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0064.427] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0064.427] NtClose (Handle=0x248) returned 0x0 [0064.428] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PublisherMUI.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0064.428] CryptDestroyKey (hKey=0x28f398) returned 1 [0064.428] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0064.428] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0064.428] GetFileTime (in: hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xfc47e320, dwHighDateTime=0x1d301be)) returned 1 [0064.428] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0064.429] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0064.429] ReadFile (in: hFile=0x248, lpBuffer=0x18e0020, nNumberOfBytesToRead=0x97f3f4, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0x97f3f4, lpOverlapped=0x0) returned 1 [0064.960] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2260020*, pdwDataLen=0x151f0d0*=0x97f3f4, dwBufLen=0x97f3fc | out: pbData=0x2260020*, pdwDataLen=0x151f0d0*=0x97f3f4) returned 1 [0065.118] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0065.118] NtClose (Handle=0x248) returned 0x0 [0065.118] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.locked" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.locked")) returned 1 [0065.118] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.locked", dwFileAttributes=0x2020) returned 1 [0065.119] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.readme_txt", dwFileAttributes=0x80) returned 0 [0065.119] GetLastError () returned 0x2 [0065.119] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0065.119] GetLastError () returned 0x2 [0065.119] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\publr.cab.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0065.119] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0065.119] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0065.120] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0065.120] NtClose (Handle=0x248) returned 0x0 [0065.120] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\PubLR.cab.readme_txt", dwFileAttributes=0x2020) returned 1 [0065.152] CryptDestroyKey (hKey=0x28f398) returned 1 [0065.152] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0065.152] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0065.152] GetFileTime (in: hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xfc8a9170, dwHighDateTime=0x1d301be)) returned 1 [0065.152] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0065.152] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0065.152] ReadFile (in: hFile=0x248, lpBuffer=0xb3e220, nNumberOfBytesToRead=0x648, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb3e220*, lpNumberOfBytesRead=0x151f0e0*=0x648, lpOverlapped=0x0) returned 1 [0065.251] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x648, dwBufLen=0x650 | out: pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x648) returned 1 [0065.253] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0065.253] NtClose (Handle=0x248) returned 0x0 [0065.253] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.locked")) returned 1 [0065.254] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.locked", dwFileAttributes=0x2020) returned 1 [0065.254] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0065.254] GetLastError () returned 0x2 [0065.254] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0065.254] GetLastError () returned 0x2 [0065.254] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0019-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0065.254] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0065.254] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0065.255] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0065.255] NtClose (Handle=0x248) returned 0x0 [0065.256] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0065.256] CryptDestroyKey (hKey=0x28f398) returned 1 [0065.256] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0019-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x28f398 [0065.256] FindClose (in: hFindFile=0x290750 | out: hFindFile=0x290750) returned 1 [0065.256] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0065.256] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0065.256] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0065.256] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0065.256] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0065.256] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0065.256] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0065.256] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0065.256] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0065.256] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0065.256] GetLastError () returned 0x12 [0065.256] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0065.257] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x248 [0065.257] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f43c, lpLastWriteTime=0x151f43c) returned 0 [0065.257] DeviceIoControl (in: hDevice=0x248, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f494, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f494, lpOverlapped=0x0) returned 0 [0065.257] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x290750 [0065.263] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0065.264] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0065.264] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0065.264] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0065.264] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0065.264] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0065.264] GetLastError () returned 0x12 [0065.264] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0065.264] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0065.264] GetFileTime (in: hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xeebe0180, dwHighDateTime=0x1d301be)) returned 1 [0065.264] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0065.265] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0065.265] ReadFile (in: hFile=0x180, lpBuffer=0x18e0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0065.972] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0066.131] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0x421fcc, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0x421fcc, lpOverlapped=0x0) returned 1 [0066.285] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22f0020*, pdwDataLen=0x151f0d0*=0x421fcc, dwBufLen=0x421fd4 | out: pbData=0x22f0020*, pdwDataLen=0x151f0d0*=0x421fcc) returned 1 [0066.356] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0066.356] NtClose (Handle=0x180) returned 0x0 [0066.356] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.locked" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.locked")) returned 1 [0066.356] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.locked", dwFileAttributes=0x2020) returned 1 [0066.356] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.readme_txt", dwFileAttributes=0x80) returned 0 [0066.356] GetLastError () returned 0x2 [0066.357] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0066.357] GetLastError () returned 0x2 [0066.357] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlklr.cab.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0066.357] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0066.357] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0066.358] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0066.358] NtClose (Handle=0x180) returned 0x0 [0066.358] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlkLR.cab.readme_txt", dwFileAttributes=0x2020) returned 1 [0066.391] CryptDestroyKey (hKey=0x28f398) returned 1 [0066.392] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0066.392] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0066.392] GetFileTime (in: hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xee827f20, dwHighDateTime=0x1d301be)) returned 1 [0066.392] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0066.392] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0066.392] ReadFile (in: hFile=0x180, lpBuffer=0x18e0020, nNumberOfBytesToRead=0x2bba00, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0x2bba00, lpOverlapped=0x0) returned 1 [0066.602] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1e60020*, pdwDataLen=0x151f0d0*=0x2bba00, dwBufLen=0x2bba08 | out: pbData=0x1e60020*, pdwDataLen=0x151f0d0*=0x2bba00) returned 1 [0066.664] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0066.664] NtClose (Handle=0x180) returned 0x0 [0066.664] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.locked")) returned 1 [0066.664] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.locked", dwFileAttributes=0x2020) returned 1 [0066.664] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0066.664] GetLastError () returned 0x2 [0066.664] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0066.664] GetLastError () returned 0x2 [0066.664] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0066.665] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0066.665] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0066.665] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0066.665] NtClose (Handle=0x180) returned 0x0 [0066.666] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0066.676] CryptDestroyKey (hKey=0x28f398) returned 1 [0066.676] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0066.676] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0066.676] GetFileTime (in: hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xee827f20, dwHighDateTime=0x1d301be)) returned 1 [0066.676] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0066.676] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0066.676] ReadFile (in: hFile=0x180, lpBuffer=0xb86c38, nNumberOfBytesToRead=0xc72, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb86c38*, lpNumberOfBytesRead=0x151f0e0*=0xc72, lpOverlapped=0x0) returned 1 [0066.683] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb58738*, pdwDataLen=0x151f0d0*=0xc72, dwBufLen=0xc7a | out: pbData=0xb58738*, pdwDataLen=0x151f0d0*=0xc72) returned 1 [0066.692] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0066.692] NtClose (Handle=0x180) returned 0x0 [0066.692] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.locked")) returned 1 [0066.692] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.locked", dwFileAttributes=0x2020) returned 1 [0066.693] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0066.693] GetLastError () returned 0x2 [0066.693] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0066.693] GetLastError () returned 0x2 [0066.693] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\outlookmui.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0066.693] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0066.693] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0066.694] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0066.694] NtClose (Handle=0x180) returned 0x0 [0066.694] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\OutlookMUI.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0066.695] CryptDestroyKey (hKey=0x28f398) returned 1 [0066.695] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0066.695] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0066.696] GetFileTime (in: hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xf00db300, dwHighDateTime=0x1d301be)) returned 1 [0066.696] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0066.696] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0066.696] ReadFile (in: hFile=0x180, lpBuffer=0xb74de8, nNumberOfBytesToRead=0x106f, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb74de8*, lpNumberOfBytesRead=0x151f0e0*=0x106f, lpOverlapped=0x0) returned 1 [0066.701] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb7e370*, pdwDataLen=0x151f0d0*=0x106f, dwBufLen=0x1077 | out: pbData=0xb7e370*, pdwDataLen=0x151f0d0*=0x106f) returned 1 [0066.710] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0066.710] NtClose (Handle=0x180) returned 0x0 [0066.710] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.locked")) returned 1 [0066.711] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.locked", dwFileAttributes=0x2020) returned 1 [0066.711] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0066.711] GetLastError () returned 0x2 [0066.711] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0066.711] GetLastError () returned 0x2 [0066.711] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-001a-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0066.711] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0066.711] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0066.712] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0066.712] NtClose (Handle=0x180) returned 0x0 [0066.713] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0066.713] CryptDestroyKey (hKey=0x28f398) returned 1 [0066.713] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001A-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x28f398 [0066.713] FindClose (in: hFindFile=0x290750 | out: hFindFile=0x290750) returned 1 [0066.714] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0066.714] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0066.714] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0066.714] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0066.714] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0066.714] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0066.714] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0066.714] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0066.714] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0066.714] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0066.714] GetLastError () returned 0x12 [0066.715] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0066.715] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0066.715] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f43c, lpLastWriteTime=0x151f43c) returned 0 [0066.715] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f494, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f494, lpOverlapped=0x0) returned 0 [0066.715] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x290750 [0066.716] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0066.716] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0066.716] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0066.716] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0066.716] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0066.716] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0066.716] GetLastError () returned 0x12 [0066.716] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0066.716] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0066.716] GetFileTime (in: hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xfe076d70, dwHighDateTime=0x1d301be)) returned 1 [0066.716] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0066.716] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0066.716] ReadFile (in: hFile=0x248, lpBuffer=0xb86c38, nNumberOfBytesToRead=0x978, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb86c38*, lpNumberOfBytesRead=0x151f0e0*=0x978, lpOverlapped=0x0) returned 1 [0066.721] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb58738*, pdwDataLen=0x151f0d0*=0x978, dwBufLen=0x980 | out: pbData=0xb58738*, pdwDataLen=0x151f0d0*=0x978) returned 1 [0066.724] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0066.725] NtClose (Handle=0x248) returned 0x0 [0066.725] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.locked")) returned 1 [0066.726] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.locked", dwFileAttributes=0x2020) returned 1 [0066.726] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0066.726] GetLastError () returned 0x2 [0066.726] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0066.726] GetLastError () returned 0x2 [0066.726] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0066.727] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0066.727] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0066.727] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0066.728] NtClose (Handle=0x248) returned 0x0 [0066.728] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0066.728] CryptDestroyKey (hKey=0x28f398) returned 1 [0066.729] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0066.729] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0066.729] GetFileTime (in: hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xfc967850, dwHighDateTime=0x1d301be)) returned 1 [0066.729] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0066.729] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0066.729] ReadFile (in: hFile=0x248, lpBuffer=0x18e0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0067.549] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0067.767] ReadFile (in: hFile=0x248, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0068.331] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0068.584] ReadFile (in: hFile=0x248, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0069.173] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0069.335] ReadFile (in: hFile=0x248, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0069.880] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0070.042] ReadFile (in: hFile=0x248, lpBuffer=0x22f0020, nNumberOfBytesToRead=0x1c6dbd, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0x1c6dbd, lpOverlapped=0x0) returned 1 [0070.126] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x24c0020*, pdwDataLen=0x151f0d0*=0x1c6dbd, dwBufLen=0x1c6dc5 | out: pbData=0x24c0020*, pdwDataLen=0x151f0d0*=0x1c6dbd) returned 1 [0070.152] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0070.152] NtClose (Handle=0x248) returned 0x0 [0070.152] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.locked" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.locked")) returned 1 [0070.153] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.locked", dwFileAttributes=0x2020) returned 1 [0070.153] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.readme_txt", dwFileAttributes=0x80) returned 0 [0070.153] GetLastError () returned 0x2 [0070.153] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0070.153] GetLastError () returned 0x2 [0070.153] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordlr.cab.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0070.153] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0070.153] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0070.154] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0070.154] NtClose (Handle=0x248) returned 0x0 [0070.155] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordLR.cab.readme_txt", dwFileAttributes=0x2020) returned 1 [0070.188] CryptDestroyKey (hKey=0x28f398) returned 1 [0070.188] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0070.188] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0070.188] GetFileTime (in: hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xfc8a9170, dwHighDateTime=0x1d301be)) returned 1 [0070.188] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0070.189] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0070.189] ReadFile (in: hFile=0x248, lpBuffer=0x18e0020, nNumberOfBytesToRead=0x267e00, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0x267e00, lpOverlapped=0x0) returned 1 [0070.658] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1dc0020*, pdwDataLen=0x151f0d0*=0x267e00, dwBufLen=0x267e08 | out: pbData=0x1dc0020*, pdwDataLen=0x151f0d0*=0x267e00) returned 1 [0070.825] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0070.825] NtClose (Handle=0x248) returned 0x0 [0070.825] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.locked")) returned 1 [0070.825] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.locked", dwFileAttributes=0x2020) returned 1 [0070.825] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0070.825] GetLastError () returned 0x2 [0070.825] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0070.826] GetLastError () returned 0x2 [0070.826] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0070.826] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0070.826] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0070.827] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0070.827] NtClose (Handle=0x248) returned 0x0 [0070.827] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0070.836] CryptDestroyKey (hKey=0x28f398) returned 1 [0070.836] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0070.836] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0070.836] GetFileTime (in: hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xfc8a9170, dwHighDateTime=0x1d301be)) returned 1 [0070.836] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0070.837] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0070.837] ReadFile (in: hFile=0x248, lpBuffer=0xb2b9e0, nNumberOfBytesToRead=0x708, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb2b9e0*, lpNumberOfBytesRead=0x151f0e0*=0x708, lpOverlapped=0x0) returned 1 [0070.838] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb427d8*, pdwDataLen=0x151f0d0*=0x708, dwBufLen=0x710 | out: pbData=0xb427d8*, pdwDataLen=0x151f0d0*=0x708) returned 1 [0070.840] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0070.840] NtClose (Handle=0x248) returned 0x0 [0070.840] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.locked")) returned 1 [0070.841] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.locked", dwFileAttributes=0x2020) returned 1 [0070.841] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0070.841] GetLastError () returned 0x2 [0070.841] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0070.841] GetLastError () returned 0x2 [0070.841] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-001b-0409-1000-0000000ff1ce}-c\\wordmui.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0070.841] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0070.841] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0070.842] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0070.842] NtClose (Handle=0x248) returned 0x0 [0070.843] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\WordMUI.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0070.843] CryptDestroyKey (hKey=0x28f398) returned 1 [0070.843] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-001B-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x28f398 [0070.843] FindClose (in: hFindFile=0x290750 | out: hFindFile=0x290750) returned 1 [0070.844] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0070.844] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0070.844] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0070.844] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0070.844] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0070.844] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0070.844] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0070.844] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0070.844] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0070.844] FindNextFileW (in: hFindFile=0x28f398, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0070.844] GetLastError () returned 0x12 [0070.845] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0070.845] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x248 [0070.845] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f43c, lpLastWriteTime=0x151f43c) returned 0 [0070.845] DeviceIoControl (in: hDevice=0x248, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f494, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f494, lpOverlapped=0x0) returned 0 [0070.845] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x290750 [0070.847] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0070.847] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0070.847] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0070.847] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0070.847] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0070.847] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0070.847] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0070.847] FindNextFileW (in: hFindFile=0x290750, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0070.847] GetLastError () returned 0x12 [0070.848] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0070.848] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0070.848] GetFileTime (in: hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xf0126df0, dwHighDateTime=0x1d301be)) returned 1 [0070.848] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x28f398) returned 1 [0070.848] CryptExportKey (in: hKey=0x28f398, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0070.848] ReadFile (in: hFile=0x180, lpBuffer=0x1210020, nNumberOfBytesToRead=0xd4200, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x1210020*, lpNumberOfBytesRead=0x151f0e0*=0xd4200, lpOverlapped=0x0) returned 1 [0070.938] CryptEncrypt (in: hKey=0x28f398, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x18e0020*, pdwDataLen=0x151f0d0*=0xd4200, dwBufLen=0xd4208 | out: pbData=0x18e0020*, pdwDataLen=0x151f0d0*=0xd4200) returned 1 [0070.954] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0070.954] NtClose (Handle=0x180) returned 0x0 [0070.954] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.locked")) returned 1 [0070.955] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.locked", dwFileAttributes=0x2020) returned 1 [0070.955] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0070.955] GetLastError () returned 0x2 [0070.955] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0070.955] GetLastError () returned 0x2 [0070.955] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0070.956] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0070.956] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0070.957] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0070.957] NtClose (Handle=0x180) returned 0x0 [0070.958] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0070.962] CryptDestroyKey (hKey=0x28f398) returned 1 [0070.963] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0070.963] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0070.963] GetFileTime (in: hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xf00db300, dwHighDateTime=0x1d301be)) returned 1 [0070.963] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0070.963] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0070.963] ReadFile (in: hFile=0x180, lpBuffer=0xb6e658, nNumberOfBytesToRead=0x32b, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb6e658*, lpNumberOfBytesRead=0x151f0e0*=0x32b, lpOverlapped=0x0) returned 1 [0071.006] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb49948*, pdwDataLen=0x151f0d0*=0x32b, dwBufLen=0x333 | out: pbData=0xb49948*, pdwDataLen=0x151f0d0*=0x32b) returned 1 [0071.008] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0071.009] NtClose (Handle=0x180) returned 0x0 [0071.009] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.locked")) returned 1 [0071.009] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.locked", dwFileAttributes=0x2020) returned 1 [0071.009] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0071.009] GetLastError () returned 0x2 [0071.009] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0071.010] GetLastError () returned 0x2 [0071.010] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proofing.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0071.010] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0071.010] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0071.011] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0071.011] NtClose (Handle=0x180) returned 0x0 [0071.011] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proofing.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0071.011] CryptDestroyKey (hKey=0x2e4858) returned 1 [0071.012] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0071.012] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0071.012] GetFileTime (in: hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xf58c6830, dwHighDateTime=0x1d301be)) returned 1 [0071.012] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0071.012] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0071.012] ReadFile (in: hFile=0x180, lpBuffer=0xb7e370, nNumberOfBytesToRead=0x16fc, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb7e370*, lpNumberOfBytesRead=0x151f0e0*=0x16fc, lpOverlapped=0x0) returned 1 [0071.028] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb99420*, pdwDataLen=0x151f0d0*=0x16fc, dwBufLen=0x1704 | out: pbData=0xb99420*, pdwDataLen=0x151f0d0*=0x16fc) returned 1 [0071.032] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0071.032] NtClose (Handle=0x180) returned 0x0 [0071.033] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.locked")) returned 1 [0071.033] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.locked", dwFileAttributes=0x2020) returned 1 [0071.033] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0071.033] GetLastError () returned 0x2 [0071.033] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0071.033] GetLastError () returned 0x2 [0071.033] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0071.034] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0071.034] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0071.034] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0071.034] NtClose (Handle=0x180) returned 0x0 [0071.035] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0071.035] CryptDestroyKey (hKey=0x2e4858) returned 1 [0071.035] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e4858 [0071.035] FindClose (in: hFindFile=0x290750 | out: hFindFile=0x290750) returned 1 [0071.036] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0071.037] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0071.037] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x248 [0071.037] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f17c, lpLastWriteTime=0x151f17c) returned 0 [0071.037] DeviceIoControl (in: hDevice=0x248, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f1d4, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f1d4, lpOverlapped=0x0) returned 0 [0071.037] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*", fInfoLevelId=0x1, lpFindFileData=0x151ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151ef44) returned 0x2e4898 [0071.037] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0071.038] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0071.038] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0071.038] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0071.038] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 0 [0071.038] GetLastError () returned 0x12 [0071.040] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0071.040] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0071.040] GetFileTime (in: hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8*(dwLowDateTime=0xf07b1ad0, dwHighDateTime=0x1d301be)) returned 1 [0071.040] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151ee14 | out: phKey=0x151ee14*=0x2e48d8) returned 1 [0071.040] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151ee18 | out: pbData=0xb35138*, pdwDataLen=0x151ee18*=0x8c) returned 1 [0071.040] ReadFile (in: hFile=0xdc, lpBuffer=0x18e0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151ee20*=0xa00000, lpOverlapped=0x0) returned 1 [0071.889] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151ee10*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151ee10*=0xa00000) returned 1 [0072.099] ReadFile (in: hFile=0xdc, lpBuffer=0x1210020, nNumberOfBytesToRead=0xf35ed, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0x1210020*, lpNumberOfBytesRead=0x151ee20*=0xf35ed, lpOverlapped=0x0) returned 1 [0072.135] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1210020*, pdwDataLen=0x151ee10*=0xf35ed, dwBufLen=0xf35f5 | out: pbData=0x1210020*, pdwDataLen=0x151ee10*=0xf35ed) returned 1 [0072.167] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0072.167] NtClose (Handle=0xdc) returned 0x0 [0072.167] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.locked" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.locked")) returned 1 [0072.167] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.locked", dwFileAttributes=0x2020) returned 1 [0072.167] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.readme_txt", dwFileAttributes=0x80) returned 0 [0072.167] GetLastError () returned 0x2 [0072.167] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151edb0 | out: lpFileInformation=0x151edb0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151ef14, nFileSizeHigh=0x0, nFileSizeLow=0x151eee4)) returned 0 [0072.168] GetLastError () returned 0x2 [0072.168] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.cab.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0072.193] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0072.193] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151ee20*=0x3a4, lpOverlapped=0x0) returned 1 [0072.193] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0072.194] NtClose (Handle=0xdc) returned 0x0 [0072.194] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.cab.readme_txt", dwFileAttributes=0x2020) returned 1 [0072.228] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0072.229] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0072.229] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0072.229] GetFileTime (in: hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8*(dwLowDateTime=0xf020c5d0, dwHighDateTime=0x1d301be)) returned 1 [0072.229] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151ee14 | out: phKey=0x151ee14*=0x2e48d8) returned 1 [0072.229] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151ee18 | out: pbData=0xb35138*, pdwDataLen=0x151ee18*=0x8c) returned 1 [0072.229] ReadFile (in: hFile=0xdc, lpBuffer=0x1210020, nNumberOfBytesToRead=0xd5c00, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0x1210020*, lpNumberOfBytesRead=0x151ee20*=0xd5c00, lpOverlapped=0x0) returned 1 [0072.322] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x18e0020*, pdwDataLen=0x151ee10*=0xd5c00, dwBufLen=0xd5c08 | out: pbData=0x18e0020*, pdwDataLen=0x151ee10*=0xd5c00) returned 1 [0072.343] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0072.343] NtClose (Handle=0xdc) returned 0x0 [0072.343] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.locked")) returned 1 [0072.344] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.locked", dwFileAttributes=0x2020) returned 1 [0072.344] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0072.344] GetLastError () returned 0x2 [0072.344] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151edb0 | out: lpFileInformation=0x151edb0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151ef14, nFileSizeHigh=0x0, nFileSizeLow=0x151eee4)) returned 0 [0072.344] GetLastError () returned 0x2 [0072.344] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0072.346] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0072.346] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151ee20*=0x3a4, lpOverlapped=0x0) returned 1 [0072.347] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0072.347] NtClose (Handle=0xdc) returned 0x0 [0072.347] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0072.350] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0072.351] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0072.351] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0072.351] GetFileTime (in: hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8*(dwLowDateTime=0xf01be3d0, dwHighDateTime=0x1d301be)) returned 1 [0072.351] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151ee14 | out: phKey=0x151ee14*=0x2e48d8) returned 1 [0072.352] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151ee18 | out: pbData=0xb35138*, pdwDataLen=0x151ee18*=0x8c) returned 1 [0072.352] ReadFile (in: hFile=0xdc, lpBuffer=0xb3e220, nNumberOfBytesToRead=0x543, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xb3e220*, lpNumberOfBytesRead=0x151ee20*=0x543, lpOverlapped=0x0) returned 1 [0072.363] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb2b9e0*, pdwDataLen=0x151ee10*=0x543, dwBufLen=0x54b | out: pbData=0xb2b9e0*, pdwDataLen=0x151ee10*=0x543) returned 1 [0072.366] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0072.366] NtClose (Handle=0xdc) returned 0x0 [0072.366] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.locked")) returned 1 [0072.367] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.locked", dwFileAttributes=0x2020) returned 1 [0072.367] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0072.367] GetLastError () returned 0x2 [0072.367] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151edb0 | out: lpFileInformation=0x151edb0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151ef14, nFileSizeHigh=0x0, nFileSizeLow=0x151eee4)) returned 0 [0072.367] GetLastError () returned 0x2 [0072.367] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.en\\proof.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0072.367] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0072.367] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151ee20*=0x3a4, lpOverlapped=0x0) returned 1 [0072.368] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0072.368] NtClose (Handle=0xdc) returned 0x0 [0072.369] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\Proof.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0072.369] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0072.369] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.en\\*", fInfoLevelId=0x1, lpFindFileData=0x151ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151ef44) returned 0x2e48d8 [0072.369] FindClose (in: hFindFile=0x2e4898 | out: hFindFile=0x2e4898) returned 1 [0072.369] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0072.369] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0072.369] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0072.369] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0072.369] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0072.369] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0072.369] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0072.369] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 0 [0072.369] GetLastError () returned 0x12 [0072.369] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0072.370] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0xdc [0072.370] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f17c, lpLastWriteTime=0x151f17c) returned 0 [0072.370] DeviceIoControl (in: hDevice=0xdc, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f1d4, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f1d4, lpOverlapped=0x0) returned 0 [0072.370] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*", fInfoLevelId=0x1, lpFindFileData=0x151ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151ef44) returned 0x2e48d8 [0072.370] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0072.370] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0072.370] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0072.370] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0072.370] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 0 [0072.370] GetLastError () returned 0x12 [0072.371] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0072.371] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0072.371] GetFileTime (in: hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8*(dwLowDateTime=0xf4f690d0, dwHighDateTime=0x1d301be)) returned 1 [0072.371] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151ee14 | out: phKey=0x151ee14*=0x2e4898) returned 1 [0072.371] CryptExportKey (in: hKey=0x2e4898, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151ee18 | out: pbData=0xb35138*, pdwDataLen=0x151ee18*=0x8c) returned 1 [0072.371] ReadFile (in: hFile=0x248, lpBuffer=0x18e0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151ee20*=0xa00000, lpOverlapped=0x0) returned 1 [0073.126] CryptEncrypt (in: hKey=0x2e4898, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151ee10*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151ee10*=0xa00000) returned 1 [0073.291] ReadFile (in: hFile=0x248, lpBuffer=0x22f0020, nNumberOfBytesToRead=0x302aea, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151ee20*=0x302aea, lpOverlapped=0x0) returned 1 [0073.412] CryptEncrypt (in: hKey=0x2e4898, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22f0020*, pdwDataLen=0x151ee10*=0x302aea, dwBufLen=0x302af2 | out: pbData=0x22f0020*, pdwDataLen=0x151ee10*=0x302aea) returned 1 [0073.466] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0073.466] NtClose (Handle=0x248) returned 0x0 [0073.466] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.locked" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.locked")) returned 1 [0073.466] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.locked", dwFileAttributes=0x2020) returned 1 [0073.467] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.readme_txt", dwFileAttributes=0x80) returned 0 [0073.467] GetLastError () returned 0x2 [0073.467] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151edb0 | out: lpFileInformation=0x151edb0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151ef14, nFileSizeHigh=0x0, nFileSizeLow=0x151eee4)) returned 0 [0073.467] GetLastError () returned 0x2 [0073.467] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.cab.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0073.468] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0073.468] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151ee20*=0x3a4, lpOverlapped=0x0) returned 1 [0073.469] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0073.469] NtClose (Handle=0x248) returned 0x0 [0073.470] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.cab.readme_txt", dwFileAttributes=0x2020) returned 1 [0073.505] CryptDestroyKey (hKey=0x2e4898) returned 1 [0073.505] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0073.506] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0073.506] GetFileTime (in: hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8*(dwLowDateTime=0xf4e5c7f0, dwHighDateTime=0x1d301be)) returned 1 [0073.506] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151ee14 | out: phKey=0x151ee14*=0x2e4898) returned 1 [0073.506] CryptExportKey (in: hKey=0x2e4898, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151ee18 | out: pbData=0xb35138*, pdwDataLen=0x151ee18*=0x8c) returned 1 [0073.506] ReadFile (in: hFile=0x248, lpBuffer=0x1210020, nNumberOfBytesToRead=0xd7200, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0x1210020*, lpNumberOfBytesRead=0x151ee20*=0xd7200, lpOverlapped=0x0) returned 1 [0073.568] CryptEncrypt (in: hKey=0x2e4898, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x18e0020*, pdwDataLen=0x151ee10*=0xd7200, dwBufLen=0xd7208 | out: pbData=0x18e0020*, pdwDataLen=0x151ee10*=0xd7200) returned 1 [0073.580] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0073.580] NtClose (Handle=0x248) returned 0x0 [0073.580] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.locked")) returned 1 [0073.581] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.locked", dwFileAttributes=0x2020) returned 1 [0073.581] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0073.581] GetLastError () returned 0x2 [0073.581] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151edb0 | out: lpFileInformation=0x151edb0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151ef14, nFileSizeHigh=0x0, nFileSizeLow=0x151eee4)) returned 0 [0073.581] GetLastError () returned 0x2 [0073.581] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0073.582] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0073.582] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151ee20*=0x3a4, lpOverlapped=0x0) returned 1 [0073.583] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0073.583] NtClose (Handle=0x248) returned 0x0 [0073.583] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0073.587] CryptDestroyKey (hKey=0x2e4898) returned 1 [0073.588] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0073.588] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0073.588] GetFileTime (in: hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8*(dwLowDateTime=0xf4e37e00, dwHighDateTime=0x1d301be)) returned 1 [0073.588] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151ee14 | out: phKey=0x151ee14*=0x2e4898) returned 1 [0073.588] CryptExportKey (in: hKey=0x2e4898, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151ee18 | out: pbData=0xb35138*, pdwDataLen=0x151ee18*=0x8c) returned 1 [0073.588] ReadFile (in: hFile=0x248, lpBuffer=0xb3e220, nNumberOfBytesToRead=0x5b1, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xb3e220*, lpNumberOfBytesRead=0x151ee20*=0x5b1, lpOverlapped=0x0) returned 1 [0073.604] CryptEncrypt (in: hKey=0x2e4898, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb2b9e0*, pdwDataLen=0x151ee10*=0x5b1, dwBufLen=0x5b9 | out: pbData=0xb2b9e0*, pdwDataLen=0x151ee10*=0x5b1) returned 1 [0073.608] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0073.608] NtClose (Handle=0x248) returned 0x0 [0073.608] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.locked")) returned 1 [0073.608] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.locked", dwFileAttributes=0x2020) returned 1 [0073.608] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0073.608] GetLastError () returned 0x2 [0073.608] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151edb0 | out: lpFileInformation=0x151edb0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151ef14, nFileSizeHigh=0x0, nFileSizeLow=0x151eee4)) returned 0 [0073.609] GetLastError () returned 0x2 [0073.609] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.es\\proof.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0073.609] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0073.609] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151ee20*=0x3a4, lpOverlapped=0x0) returned 1 [0073.610] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0073.610] NtClose (Handle=0x248) returned 0x0 [0073.610] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\Proof.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0073.610] CryptDestroyKey (hKey=0x2e4898) returned 1 [0073.611] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.es\\*", fInfoLevelId=0x1, lpFindFileData=0x151ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151ef44) returned 0x2e4898 [0073.611] FindClose (in: hFindFile=0x2e48d8 | out: hFindFile=0x2e48d8) returned 1 [0073.611] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0073.611] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0073.611] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0073.611] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0073.611] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0073.611] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0073.611] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0073.611] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 0 [0073.611] GetLastError () returned 0x12 [0073.611] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0073.611] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x248 [0073.611] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f17c, lpLastWriteTime=0x151f17c) returned 0 [0073.611] DeviceIoControl (in: hDevice=0x248, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f1d4, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f1d4, lpOverlapped=0x0) returned 0 [0073.612] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*", fInfoLevelId=0x1, lpFindFileData=0x151ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151ef44) returned 0x2e4898 [0073.612] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0073.612] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0073.612] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0073.612] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0073.612] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 0 [0073.612] GetLastError () returned 0x12 [0073.612] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0073.612] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0073.612] GetFileTime (in: hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8*(dwLowDateTime=0xf3076b00, dwHighDateTime=0x1d301be)) returned 1 [0073.612] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151ee14 | out: phKey=0x151ee14*=0x2e48d8) returned 1 [0073.612] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151ee18 | out: pbData=0xb35138*, pdwDataLen=0x151ee18*=0x8c) returned 1 [0073.612] ReadFile (in: hFile=0xdc, lpBuffer=0x18e0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151ee20*=0xa00000, lpOverlapped=0x0) returned 1 [0074.502] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151ee10*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151ee10*=0xa00000) returned 1 [0074.685] ReadFile (in: hFile=0xdc, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151ee20*=0xa00000, lpOverlapped=0x0) returned 1 [0075.061] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151ee10*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151ee10*=0xa00000) returned 1 [0075.223] ReadFile (in: hFile=0xdc, lpBuffer=0xae9a40, nNumberOfBytesToRead=0x16b54, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xae9a40*, lpNumberOfBytesRead=0x151ee20*=0x16b54, lpOverlapped=0x0) returned 1 [0075.230] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xae9a40*, pdwDataLen=0x151ee10*=0x16b54, dwBufLen=0x16b5c | out: pbData=0xae9a40*, pdwDataLen=0x151ee10*=0x16b54) returned 1 [0075.233] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0075.233] NtClose (Handle=0xdc) returned 0x0 [0075.233] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.locked" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.locked")) returned 1 [0075.233] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.locked", dwFileAttributes=0x2020) returned 1 [0075.233] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.readme_txt", dwFileAttributes=0x80) returned 0 [0075.233] GetLastError () returned 0x2 [0075.233] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151edb0 | out: lpFileInformation=0x151edb0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151ef14, nFileSizeHigh=0x0, nFileSizeLow=0x151eee4)) returned 0 [0075.233] GetLastError () returned 0x2 [0075.233] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.cab.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0075.234] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0075.235] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151ee20*=0x3a4, lpOverlapped=0x0) returned 1 [0075.235] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0075.235] NtClose (Handle=0xdc) returned 0x0 [0075.236] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.cab.readme_txt", dwFileAttributes=0x2020) returned 1 [0075.269] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0075.269] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0075.270] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0075.270] GetFileTime (in: hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8*(dwLowDateTime=0xf2e3b660, dwHighDateTime=0x1d301be)) returned 1 [0075.270] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151ee14 | out: phKey=0x151ee14*=0x2e48d8) returned 1 [0075.270] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151ee18 | out: pbData=0xb35138*, pdwDataLen=0x151ee18*=0x8c) returned 1 [0075.270] ReadFile (in: hFile=0xdc, lpBuffer=0x1210020, nNumberOfBytesToRead=0xd8400, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0x1210020*, lpNumberOfBytesRead=0x151ee20*=0xd8400, lpOverlapped=0x0) returned 1 [0075.315] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x18e0020*, pdwDataLen=0x151ee10*=0xd8400, dwBufLen=0xd8408 | out: pbData=0x18e0020*, pdwDataLen=0x151ee10*=0xd8400) returned 1 [0075.327] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0075.327] NtClose (Handle=0xdc) returned 0x0 [0075.327] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.locked")) returned 1 [0075.328] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.locked", dwFileAttributes=0x2020) returned 1 [0075.328] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0075.328] GetLastError () returned 0x2 [0075.328] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151edb0 | out: lpFileInformation=0x151edb0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151ef14, nFileSizeHigh=0x0, nFileSizeLow=0x151eee4)) returned 0 [0075.328] GetLastError () returned 0x2 [0075.328] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0075.328] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0075.329] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151ee20*=0x3a4, lpOverlapped=0x0) returned 1 [0075.329] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0075.329] NtClose (Handle=0xdc) returned 0x0 [0075.330] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0075.333] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0075.333] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0075.333] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0075.333] GetFileTime (in: hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8*(dwLowDateTime=0xf2bd90c0, dwHighDateTime=0x1d301be)) returned 1 [0075.333] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151ee14 | out: phKey=0x151ee14*=0x2e48d8) returned 1 [0075.334] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151ee18 | out: pbData=0xb35138*, pdwDataLen=0x151ee18*=0x8c) returned 1 [0075.334] ReadFile (in: hFile=0xdc, lpBuffer=0xb3e220, nNumberOfBytesToRead=0x5b2, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xb3e220*, lpNumberOfBytesRead=0x151ee20*=0x5b2, lpOverlapped=0x0) returned 1 [0075.339] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb2b9e0*, pdwDataLen=0x151ee10*=0x5b2, dwBufLen=0x5ba | out: pbData=0xb2b9e0*, pdwDataLen=0x151ee10*=0x5b2) returned 1 [0075.341] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0075.341] NtClose (Handle=0xdc) returned 0x0 [0075.342] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.locked")) returned 1 [0075.342] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.locked", dwFileAttributes=0x2020) returned 1 [0075.342] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0075.342] GetLastError () returned 0x2 [0075.342] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151edb0 | out: lpFileInformation=0x151edb0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151ef14, nFileSizeHigh=0x0, nFileSizeLow=0x151eee4)) returned 0 [0075.342] GetLastError () returned 0x2 [0075.342] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-002c-0409-1000-0000000ff1ce}-c\\proof.fr\\proof.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0075.342] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0075.342] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151ee20*=0x3a4, lpOverlapped=0x0) returned 1 [0075.343] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0075.343] NtClose (Handle=0xdc) returned 0x0 [0075.344] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\Proof.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0075.344] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0075.344] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-002C-0409-1000-0000000FF1CE}-C\\Proof.fr\\*", fInfoLevelId=0x1, lpFindFileData=0x151ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151ef44) returned 0x2e48d8 [0075.344] FindClose (in: hFindFile=0x2e4898 | out: hFindFile=0x2e4898) returned 1 [0075.344] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0075.344] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0075.344] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0075.344] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0075.344] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0075.344] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0075.344] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0075.344] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 0 [0075.344] GetLastError () returned 0x12 [0075.344] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.344] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.344] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.344] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.344] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.344] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.345] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0075.345] GetLastError () returned 0x12 [0075.345] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0075.346] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0075.346] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f43c, lpLastWriteTime=0x151f43c) returned 0 [0075.346] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f494, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f494, lpOverlapped=0x0) returned 0 [0075.346] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e4858 [0075.352] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.352] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.352] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.352] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.352] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.352] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0075.352] GetLastError () returned 0x12 [0075.353] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0075.353] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0075.353] GetFileTime (in: hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xfc138cb0, dwHighDateTime=0x1d301be)) returned 1 [0075.353] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0075.353] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0075.353] ReadFile (in: hFile=0xdc, lpBuffer=0x1210020, nNumberOfBytesToRead=0xd5600, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x1210020*, lpNumberOfBytesRead=0x151f0e0*=0xd5600, lpOverlapped=0x0) returned 1 [0075.400] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x18e0020*, pdwDataLen=0x151f0d0*=0xd5600, dwBufLen=0xd5608 | out: pbData=0x18e0020*, pdwDataLen=0x151f0d0*=0xd5600) returned 1 [0075.420] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0075.420] NtClose (Handle=0xdc) returned 0x0 [0075.420] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.locked")) returned 1 [0075.421] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.locked", dwFileAttributes=0x2020) returned 1 [0075.421] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0075.421] GetLastError () returned 0x2 [0075.421] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0075.421] GetLastError () returned 0x2 [0075.421] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0075.421] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0075.421] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0075.422] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0075.422] NtClose (Handle=0xdc) returned 0x0 [0075.423] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0075.425] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0075.426] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0075.426] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0075.426] GetFileTime (in: hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xfc138cb0, dwHighDateTime=0x1d301be)) returned 1 [0075.426] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0075.426] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0075.426] ReadFile (in: hFile=0xdc, lpBuffer=0xb3e220, nNumberOfBytesToRead=0x567, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb3e220*, lpNumberOfBytesRead=0x151f0e0*=0x567, lpOverlapped=0x0) returned 1 [0075.438] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x567, dwBufLen=0x56f | out: pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x567) returned 1 [0075.441] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0075.441] NtClose (Handle=0xdc) returned 0x0 [0075.442] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.locked")) returned 1 [0075.442] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.locked", dwFileAttributes=0x2020) returned 1 [0075.442] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0075.442] GetLastError () returned 0x2 [0075.442] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0075.442] GetLastError () returned 0x2 [0075.442] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\office32mui.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0075.443] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0075.443] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0075.443] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0075.443] NtClose (Handle=0xdc) returned 0x0 [0075.444] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Office32MUI.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0075.444] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0075.444] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0075.444] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0075.444] GetFileTime (in: hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xfc301560, dwHighDateTime=0x1d301be)) returned 1 [0075.445] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0075.445] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0075.445] ReadFile (in: hFile=0xdc, lpBuffer=0x18e0020, nNumberOfBytesToRead=0x2cb13b, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0x2cb13b, lpOverlapped=0x0) returned 1 [0075.589] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1e80020*, pdwDataLen=0x151f0d0*=0x2cb13b, dwBufLen=0x2cb143 | out: pbData=0x1e80020*, pdwDataLen=0x151f0d0*=0x2cb13b) returned 1 [0075.642] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0075.642] NtClose (Handle=0xdc) returned 0x0 [0075.642] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.locked" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.locked")) returned 1 [0075.642] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.locked", dwFileAttributes=0x2020) returned 1 [0075.643] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.readme_txt", dwFileAttributes=0x80) returned 0 [0075.643] GetLastError () returned 0x2 [0075.643] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0075.643] GetLastError () returned 0x2 [0075.643] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\owow32lr.cab.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0075.643] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0075.643] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0075.644] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0075.644] NtClose (Handle=0xdc) returned 0x0 [0075.644] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\OWOW32LR.cab.readme_txt", dwFileAttributes=0x2020) returned 1 [0075.654] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0075.654] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0075.654] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0075.654] GetFileTime (in: hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xfc3e4630, dwHighDateTime=0x1d301be)) returned 1 [0075.654] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0075.654] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0075.654] ReadFile (in: hFile=0xdc, lpBuffer=0xb86c38, nNumberOfBytesToRead=0x93a, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb86c38*, lpNumberOfBytesRead=0x151f0e0*=0x93a, lpOverlapped=0x0) returned 1 [0075.655] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb5b540*, pdwDataLen=0x151f0d0*=0x93a, dwBufLen=0x942 | out: pbData=0xb5b540*, pdwDataLen=0x151f0d0*=0x93a) returned 1 [0075.658] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0075.658] NtClose (Handle=0xdc) returned 0x0 [0075.658] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.locked")) returned 1 [0075.658] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.locked", dwFileAttributes=0x2020) returned 1 [0075.658] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0075.658] GetLastError () returned 0x2 [0075.658] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0075.658] GetLastError () returned 0x2 [0075.658] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0043-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0075.659] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0075.659] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0075.659] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0075.659] NtClose (Handle=0xdc) returned 0x0 [0075.660] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0075.660] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0075.660] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0043-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e48d8 [0075.660] FindClose (in: hFindFile=0x2e4858 | out: hFindFile=0x2e4858) returned 1 [0075.661] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.661] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.661] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.661] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.661] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.661] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.661] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.661] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.661] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.661] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0075.661] GetLastError () returned 0x12 [0075.661] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0075.661] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0xdc [0075.662] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f43c, lpLastWriteTime=0x151f43c) returned 0 [0075.662] DeviceIoControl (in: hDevice=0xdc, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f494, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f494, lpOverlapped=0x0) returned 0 [0075.662] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e48d8 [0075.663] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.663] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.663] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.663] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.663] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0075.663] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0075.663] GetLastError () returned 0x12 [0075.663] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0075.663] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0075.663] GetFileTime (in: hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xf79111d0, dwHighDateTime=0x1d301be)) returned 1 [0075.664] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0075.664] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0075.664] ReadFile (in: hFile=0x180, lpBuffer=0x18e0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0076.292] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0076.467] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0x800204, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0x800204, lpOverlapped=0x0) returned 1 [0076.672] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22f0020*, pdwDataLen=0x151f0d0*=0x800204, dwBufLen=0x80020c | out: pbData=0x22f0020*, pdwDataLen=0x151f0d0*=0x800204) returned 1 [0076.806] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0076.806] NtClose (Handle=0x180) returned 0x0 [0076.807] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.locked" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.locked")) returned 1 [0076.807] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.locked", dwFileAttributes=0x2020) returned 1 [0076.807] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.readme_txt", dwFileAttributes=0x80) returned 0 [0076.807] GetLastError () returned 0x2 [0076.807] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0076.807] GetLastError () returned 0x2 [0076.807] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\inflr.cab.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0076.808] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0076.808] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0076.808] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0076.808] NtClose (Handle=0x180) returned 0x0 [0076.809] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfLR.cab.readme_txt", dwFileAttributes=0x2020) returned 1 [0076.844] CryptDestroyKey (hKey=0x2e4858) returned 1 [0076.844] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0076.845] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0076.845] GetFileTime (in: hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xf6e58f90, dwHighDateTime=0x1d301be)) returned 1 [0076.845] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0076.845] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0076.845] ReadFile (in: hFile=0x180, lpBuffer=0x18e0020, nNumberOfBytesToRead=0x2fac00, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0x2fac00, lpOverlapped=0x0) returned 1 [0077.108] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1ee0020*, pdwDataLen=0x151f0d0*=0x2fac00, dwBufLen=0x2fac08 | out: pbData=0x1ee0020*, pdwDataLen=0x151f0d0*=0x2fac00) returned 1 [0077.153] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0077.153] NtClose (Handle=0x180) returned 0x0 [0077.154] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.locked")) returned 1 [0077.154] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.locked", dwFileAttributes=0x2020) returned 1 [0077.154] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0077.154] GetLastError () returned 0x2 [0077.154] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0077.154] GetLastError () returned 0x2 [0077.154] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0077.155] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0077.155] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0077.155] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0077.155] NtClose (Handle=0x180) returned 0x0 [0077.156] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0077.166] CryptDestroyKey (hKey=0x2e4858) returned 1 [0077.167] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0077.167] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0077.167] GetFileTime (in: hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xf6e345a0, dwHighDateTime=0x1d301be)) returned 1 [0077.167] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0077.167] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0077.167] ReadFile (in: hFile=0x180, lpBuffer=0xb3e220, nNumberOfBytesToRead=0x4cf, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb3e220*, lpNumberOfBytesRead=0x151f0e0*=0x4cf, lpOverlapped=0x0) returned 1 [0077.174] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x4cf, dwBufLen=0x4d7 | out: pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x4cf) returned 1 [0077.177] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0077.177] NtClose (Handle=0x180) returned 0x0 [0077.177] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.locked")) returned 1 [0077.178] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.locked", dwFileAttributes=0x2020) returned 1 [0077.178] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0077.178] GetLastError () returned 0x2 [0077.178] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0077.178] GetLastError () returned 0x2 [0077.178] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\infopathmui.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0077.178] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0077.178] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0077.179] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0077.179] NtClose (Handle=0x180) returned 0x0 [0077.180] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\InfoPathMUI.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0077.180] CryptDestroyKey (hKey=0x2e4858) returned 1 [0077.180] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0077.180] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0077.180] GetFileTime (in: hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178 | out: lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178*(dwLowDateTime=0xfa13c510, dwHighDateTime=0x1d301be)) returned 1 [0077.181] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0077.181] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0077.181] ReadFile (in: hFile=0x180, lpBuffer=0xb2b9e0, nNumberOfBytesToRead=0x73c, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb2b9e0*, lpNumberOfBytesRead=0x151f0e0*=0x73c, lpOverlapped=0x0) returned 1 [0077.186] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb86c38*, pdwDataLen=0x151f0d0*=0x73c, dwBufLen=0x744 | out: pbData=0xb86c38*, pdwDataLen=0x151f0d0*=0x73c) returned 1 [0077.190] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0077.190] NtClose (Handle=0x180) returned 0x0 [0077.190] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.locked")) returned 1 [0077.190] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.locked", dwFileAttributes=0x2020) returned 1 [0077.191] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0077.191] GetLastError () returned 0x2 [0077.191] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0077.191] GetLastError () returned 0x2 [0077.191] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0044-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0077.191] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0077.191] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0077.192] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0077.192] NtClose (Handle=0x180) returned 0x0 [0077.192] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0077.192] CryptDestroyKey (hKey=0x2e4858) returned 1 [0077.192] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0044-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e4858 [0077.193] FindClose (in: hFindFile=0x2e48d8 | out: hFindFile=0x2e48d8) returned 1 [0077.193] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0077.193] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0077.193] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0077.193] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0077.194] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0077.194] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0077.194] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0077.194] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0077.194] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0077.194] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0077.194] GetLastError () returned 0x12 [0077.194] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0077.194] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0077.194] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f43c, lpLastWriteTime=0x151f43c) returned 0 [0077.194] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f494, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f494, lpOverlapped=0x0) returned 0 [0077.194] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e4858 [0077.194] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0077.194] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0077.194] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0077.194] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0077.194] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0077.195] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0077.195] GetLastError () returned 0x12 [0077.195] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0077.195] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0077.195] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0077.196] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0077.196] ReadFile (in: hFile=0xdc, lpBuffer=0xb7e370, nNumberOfBytesToRead=0x1861, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb7e370*, lpNumberOfBytesRead=0x151f0e0*=0x1861, lpOverlapped=0x0) returned 1 [0077.207] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb53de8*, pdwDataLen=0x151f0d0*=0x1861, dwBufLen=0x1869 | out: pbData=0xb53de8*, pdwDataLen=0x151f0d0*=0x1861) returned 1 [0077.210] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0077.210] NtClose (Handle=0xdc) returned 0x0 [0077.210] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.locked")) returned 1 [0077.212] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.locked", dwFileAttributes=0x2020) returned 1 [0077.212] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0077.212] GetLastError () returned 0x2 [0077.212] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0077.212] GetLastError () returned 0x2 [0077.212] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0077.212] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0077.212] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0077.213] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0077.213] NtClose (Handle=0xdc) returned 0x0 [0077.214] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0077.214] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0077.214] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0077.214] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0077.214] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0077.215] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0077.215] ReadFile (in: hFile=0xdc, lpBuffer=0x18e0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0077.787] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0077.973] ReadFile (in: hFile=0xdc, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0078.360] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0078.525] ReadFile (in: hFile=0xdc, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0078.915] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0079.087] ReadFile (in: hFile=0xdc, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0079.562] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0079.734] ReadFile (in: hFile=0xdc, lpBuffer=0x22f0020, nNumberOfBytesToRead=0x8780dd, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0x8780dd, lpOverlapped=0x0) returned 1 [0079.949] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22f0020*, pdwDataLen=0x151f0d0*=0x8780dd, dwBufLen=0x8780e5 | out: pbData=0x22f0020*, pdwDataLen=0x151f0d0*=0x8780dd) returned 1 [0080.091] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0080.091] NtClose (Handle=0xdc) returned 0x0 [0080.091] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.locked" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.locked")) returned 1 [0080.092] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.locked", dwFileAttributes=0x2020) returned 1 [0080.092] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.readme_txt", dwFileAttributes=0x80) returned 0 [0080.092] GetLastError () returned 0x2 [0080.092] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0080.092] GetLastError () returned 0x2 [0080.092] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiolr.cab.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0080.092] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0080.092] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0080.094] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0080.094] NtClose (Handle=0xdc) returned 0x0 [0080.094] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioLR.cab.readme_txt", dwFileAttributes=0x2020) returned 1 [0080.127] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0080.128] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0080.128] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0080.128] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0080.128] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0080.128] ReadFile (in: hFile=0xdc, lpBuffer=0x18e0020, nNumberOfBytesToRead=0x2ab000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0x2ab000, lpOverlapped=0x0) returned 1 [0080.297] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1e40020*, pdwDataLen=0x151f0d0*=0x2ab000, dwBufLen=0x2ab008 | out: pbData=0x1e40020*, pdwDataLen=0x151f0d0*=0x2ab000) returned 1 [0080.344] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0080.344] NtClose (Handle=0xdc) returned 0x0 [0080.344] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.locked")) returned 1 [0080.344] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.locked", dwFileAttributes=0x2020) returned 1 [0080.345] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0080.345] GetLastError () returned 0x2 [0080.345] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0080.345] GetLastError () returned 0x2 [0080.345] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0080.345] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0080.345] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0080.346] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0080.346] NtClose (Handle=0xdc) returned 0x0 [0080.346] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0080.355] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0080.356] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0080.356] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0080.356] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0080.356] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0080.356] ReadFile (in: hFile=0xdc, lpBuffer=0xba14b0, nNumberOfBytesToRead=0x251f, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xba14b0*, lpNumberOfBytesRead=0x151f0e0*=0x251f, lpOverlapped=0x0) returned 1 [0080.358] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb918d0*, pdwDataLen=0x151f0d0*=0x251f, dwBufLen=0x2527 | out: pbData=0xb918d0*, pdwDataLen=0x151f0d0*=0x251f) returned 1 [0080.360] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0080.360] NtClose (Handle=0xdc) returned 0x0 [0080.360] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.locked")) returned 1 [0080.360] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.locked", dwFileAttributes=0x2020) returned 1 [0080.361] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0080.361] GetLastError () returned 0x2 [0080.361] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0080.361] GetLastError () returned 0x2 [0080.361] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0054-0409-1000-0000000ff1ce}-c\\visiomui.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0080.361] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0080.361] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0080.362] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0080.362] NtClose (Handle=0xdc) returned 0x0 [0080.362] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\VisioMUI.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0080.363] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0080.363] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0054-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e48d8 [0080.363] FindClose (in: hFindFile=0x2e4858 | out: hFindFile=0x2e4858) returned 1 [0080.363] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0080.364] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0080.364] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0080.364] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0080.364] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0080.364] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0080.364] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0080.364] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0080.364] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0080.364] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0080.364] GetLastError () returned 0x12 [0080.364] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0080.365] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0xdc [0080.365] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f43c, lpLastWriteTime=0x151f43c) returned 0 [0080.365] DeviceIoControl (in: hDevice=0xdc, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f494, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f494, lpOverlapped=0x0) returned 0 [0080.365] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e48d8 [0080.414] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0080.414] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0080.414] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0080.414] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0080.414] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0080.414] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0080.414] GetLastError () returned 0x12 [0080.414] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0080.414] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0080.414] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0080.414] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0080.415] ReadFile (in: hFile=0x180, lpBuffer=0x18e0020, nNumberOfBytesToRead=0x263400, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0x263400, lpOverlapped=0x0) returned 1 [0080.594] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1dc0020*, pdwDataLen=0x151f0d0*=0x263400, dwBufLen=0x263408 | out: pbData=0x1dc0020*, pdwDataLen=0x151f0d0*=0x263400) returned 1 [0080.647] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0080.647] NtClose (Handle=0x180) returned 0x0 [0080.648] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.locked")) returned 1 [0080.648] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.locked", dwFileAttributes=0x2020) returned 1 [0080.648] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0080.648] GetLastError () returned 0x2 [0080.648] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0080.648] GetLastError () returned 0x2 [0080.648] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0080.649] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0080.649] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0080.649] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0080.650] NtClose (Handle=0x180) returned 0x0 [0080.650] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0080.660] CryptDestroyKey (hKey=0x2e4858) returned 1 [0080.660] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0080.660] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0080.660] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0080.660] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0080.660] ReadFile (in: hFile=0x180, lpBuffer=0xb3e220, nNumberOfBytesToRead=0x646, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb3e220*, lpNumberOfBytesRead=0x151f0e0*=0x646, lpOverlapped=0x0) returned 1 [0080.685] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x646, dwBufLen=0x64e | out: pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x646) returned 1 [0080.715] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0080.715] NtClose (Handle=0x180) returned 0x0 [0080.715] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.locked")) returned 1 [0080.716] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.locked", dwFileAttributes=0x2020) returned 1 [0080.716] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0080.716] GetLastError () returned 0x2 [0080.716] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0080.716] GetLastError () returned 0x2 [0080.716] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onenotemui.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0080.716] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0080.716] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0080.717] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0080.717] NtClose (Handle=0x180) returned 0x0 [0080.717] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OneNoteMUI.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0080.718] CryptDestroyKey (hKey=0x2e4858) returned 1 [0080.718] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0080.718] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0080.718] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0080.719] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0080.719] ReadFile (in: hFile=0x180, lpBuffer=0x18e0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0081.339] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0081.503] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0x6a5df8, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0x6a5df8, lpOverlapped=0x0) returned 1 [0081.666] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22f0020*, pdwDataLen=0x151f0d0*=0x6a5df8, dwBufLen=0x6a5e00 | out: pbData=0x22f0020*, pdwDataLen=0x151f0d0*=0x6a5df8) returned 1 [0081.928] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0081.928] NtClose (Handle=0x180) returned 0x0 [0081.928] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.locked" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.locked")) returned 1 [0081.929] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.locked", dwFileAttributes=0x2020) returned 1 [0081.929] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.readme_txt", dwFileAttributes=0x80) returned 0 [0081.929] GetLastError () returned 0x2 [0081.929] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0081.929] GetLastError () returned 0x2 [0081.929] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\onotelr.cab.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0081.929] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0081.929] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0081.930] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0081.930] NtClose (Handle=0x180) returned 0x0 [0081.931] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\OnoteLR.cab.readme_txt", dwFileAttributes=0x2020) returned 1 [0081.964] CryptDestroyKey (hKey=0x2e4858) returned 1 [0081.965] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0081.965] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0081.965] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0081.965] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0081.965] ReadFile (in: hFile=0x180, lpBuffer=0xb86c38, nNumberOfBytesToRead=0x7c4, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb86c38*, lpNumberOfBytesRead=0x151f0e0*=0x7c4, lpOverlapped=0x0) returned 1 [0082.001] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb58738*, pdwDataLen=0x151f0d0*=0x7c4, dwBufLen=0x7cc | out: pbData=0xb58738*, pdwDataLen=0x151f0d0*=0x7c4) returned 1 [0082.095] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0082.095] NtClose (Handle=0x180) returned 0x0 [0082.095] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.locked")) returned 1 [0082.095] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.locked", dwFileAttributes=0x2020) returned 1 [0082.095] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0082.095] GetLastError () returned 0x2 [0082.095] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0082.096] GetLastError () returned 0x2 [0082.096] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00a1-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0082.096] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0082.096] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0082.096] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0082.097] NtClose (Handle=0x180) returned 0x0 [0082.097] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0082.097] CryptDestroyKey (hKey=0x2e4858) returned 1 [0082.097] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00A1-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e4858 [0082.097] FindClose (in: hFindFile=0x2e48d8 | out: hFindFile=0x2e48d8) returned 1 [0082.098] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0082.098] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0082.098] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0082.098] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0082.098] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0082.098] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0082.098] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0082.098] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0082.098] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0082.099] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0082.099] GetLastError () returned 0x12 [0082.099] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0082.117] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0082.117] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f43c, lpLastWriteTime=0x151f43c) returned 0 [0082.117] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f494, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f494, lpOverlapped=0x0) returned 0 [0082.117] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e4858 [0082.153] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0082.153] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0082.153] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0082.153] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0082.153] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0082.154] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0082.154] GetLastError () returned 0x12 [0082.318] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0082.319] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0082.319] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0082.319] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0082.319] ReadFile (in: hFile=0xdc, lpBuffer=0x18e0020, nNumberOfBytesToRead=0x265400, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0x265400, lpOverlapped=0x0) returned 1 [0082.456] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1dc0020*, pdwDataLen=0x151f0d0*=0x265400, dwBufLen=0x265408 | out: pbData=0x1dc0020*, pdwDataLen=0x151f0d0*=0x265400) returned 1 [0082.509] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0082.509] NtClose (Handle=0xdc) returned 0x0 [0082.510] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.locked")) returned 1 [0082.510] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.locked", dwFileAttributes=0x2020) returned 1 [0082.510] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0082.510] GetLastError () returned 0x2 [0082.510] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0082.510] GetLastError () returned 0x2 [0082.510] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0082.510] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0082.511] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0082.511] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0082.511] NtClose (Handle=0xdc) returned 0x0 [0082.512] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0082.520] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0082.521] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0082.521] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0082.521] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0082.521] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0082.521] ReadFile (in: hFile=0xdc, lpBuffer=0xb3e220, nNumberOfBytesToRead=0x5ac, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb3e220*, lpNumberOfBytesRead=0x151f0e0*=0x5ac, lpOverlapped=0x0) returned 1 [0082.522] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x5ac, dwBufLen=0x5b4 | out: pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x5ac) returned 1 [0082.525] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0082.525] NtClose (Handle=0xdc) returned 0x0 [0082.525] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.locked")) returned 1 [0082.526] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.locked", dwFileAttributes=0x2020) returned 1 [0082.526] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0082.526] GetLastError () returned 0x2 [0082.526] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0082.526] GetLastError () returned 0x2 [0082.526] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projectmui.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0082.526] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0082.526] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0082.527] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0082.527] NtClose (Handle=0xdc) returned 0x0 [0082.528] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjectMUI.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0082.528] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0082.529] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0082.529] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0082.529] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0082.529] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0082.529] ReadFile (in: hFile=0xdc, lpBuffer=0x18e0020, nNumberOfBytesToRead=0x7e1dcd, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0x7e1dcd, lpOverlapped=0x0) returned 1 [0082.891] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x20d0020*, pdwDataLen=0x151f0d0*=0x7e1dcd, dwBufLen=0x7e1dd5 | out: pbData=0x20d0020*, pdwDataLen=0x151f0d0*=0x7e1dcd) returned 1 [0083.026] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0083.026] NtClose (Handle=0xdc) returned 0x0 [0083.026] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.locked" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.locked")) returned 1 [0083.026] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.locked", dwFileAttributes=0x2020) returned 1 [0083.027] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.readme_txt", dwFileAttributes=0x80) returned 0 [0083.027] GetLastError () returned 0x2 [0083.027] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0083.027] GetLastError () returned 0x2 [0083.027] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\projlr.cab.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0083.027] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0083.027] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0083.028] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0083.028] NtClose (Handle=0xdc) returned 0x0 [0083.028] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\ProjLR.cab.readme_txt", dwFileAttributes=0x2020) returned 1 [0083.055] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0083.056] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0083.056] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0083.056] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0083.056] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0083.056] ReadFile (in: hFile=0xdc, lpBuffer=0xb2b9e0, nNumberOfBytesToRead=0x750, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb2b9e0*, lpNumberOfBytesRead=0x151f0e0*=0x750, lpOverlapped=0x0) returned 1 [0083.057] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb427d8*, pdwDataLen=0x151f0d0*=0x750, dwBufLen=0x758 | out: pbData=0xb427d8*, pdwDataLen=0x151f0d0*=0x750) returned 1 [0083.060] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0083.060] NtClose (Handle=0xdc) returned 0x0 [0083.060] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.locked")) returned 1 [0083.060] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.locked", dwFileAttributes=0x2020) returned 1 [0083.060] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0083.060] GetLastError () returned 0x2 [0083.060] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0083.060] GetLastError () returned 0x2 [0083.060] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00b4-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0083.061] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0083.061] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0083.061] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0083.061] NtClose (Handle=0xdc) returned 0x0 [0083.062] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0083.062] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0083.062] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00B4-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e48d8 [0083.062] FindClose (in: hFindFile=0x2e4858 | out: hFindFile=0x2e4858) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.063] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.064] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.064] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.064] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.064] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.064] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.064] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0083.064] GetLastError () returned 0x12 [0083.064] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0083.064] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0xdc [0083.064] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f43c, lpLastWriteTime=0x151f43c) returned 0 [0083.064] DeviceIoControl (in: hDevice=0xdc, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f494, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f494, lpOverlapped=0x0) returned 0 [0083.064] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e48d8 [0083.096] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.097] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.097] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.097] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.097] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.097] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0083.097] GetLastError () returned 0x12 [0083.098] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0083.098] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0083.098] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0083.098] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0083.098] ReadFile (in: hFile=0x180, lpBuffer=0x18e0020, nNumberOfBytesToRead=0x3e7e1f, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0x3e7e1f, lpOverlapped=0x0) returned 1 [0083.280] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1cd0020*, pdwDataLen=0x151f0d0*=0x3e7e1f, dwBufLen=0x3e7e27 | out: pbData=0x1cd0020*, pdwDataLen=0x151f0d0*=0x3e7e1f) returned 1 [0083.344] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0083.344] NtClose (Handle=0x180) returned 0x0 [0083.345] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.locked" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.locked")) returned 1 [0083.345] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.locked", dwFileAttributes=0x2020) returned 1 [0083.345] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.readme_txt", dwFileAttributes=0x80) returned 0 [0083.345] GetLastError () returned 0x2 [0083.345] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0083.345] GetLastError () returned 0x2 [0083.345] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovelr.cab.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0083.346] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0083.346] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0083.346] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0083.346] NtClose (Handle=0x180) returned 0x0 [0083.347] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveLR.cab.readme_txt", dwFileAttributes=0x2020) returned 1 [0083.361] CryptDestroyKey (hKey=0x2e4858) returned 1 [0083.361] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0083.361] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0083.361] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0083.361] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0083.361] ReadFile (in: hFile=0x180, lpBuffer=0x18e0020, nNumberOfBytesToRead=0x264400, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0x264400, lpOverlapped=0x0) returned 1 [0083.485] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1dc0020*, pdwDataLen=0x151f0d0*=0x264400, dwBufLen=0x264408 | out: pbData=0x1dc0020*, pdwDataLen=0x151f0d0*=0x264400) returned 1 [0083.536] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0083.536] NtClose (Handle=0x180) returned 0x0 [0083.536] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.locked")) returned 1 [0083.537] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.locked", dwFileAttributes=0x2020) returned 1 [0083.537] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0083.537] GetLastError () returned 0x2 [0083.537] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0083.537] GetLastError () returned 0x2 [0083.537] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0083.538] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0083.538] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0083.538] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0083.538] NtClose (Handle=0x180) returned 0x0 [0083.539] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0083.547] CryptDestroyKey (hKey=0x2e4858) returned 1 [0083.548] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0083.548] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0083.548] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0083.548] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0083.548] ReadFile (in: hFile=0x180, lpBuffer=0xb49948, nNumberOfBytesToRead=0x391, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb49948*, lpNumberOfBytesRead=0x151f0e0*=0x391, lpOverlapped=0x0) returned 1 [0083.562] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb739e0*, pdwDataLen=0x151f0d0*=0x391, dwBufLen=0x399 | out: pbData=0xb739e0*, pdwDataLen=0x151f0d0*=0x391) returned 1 [0083.566] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0083.566] NtClose (Handle=0x180) returned 0x0 [0083.566] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.locked")) returned 1 [0083.566] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.locked", dwFileAttributes=0x2020) returned 1 [0083.566] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0083.566] GetLastError () returned 0x2 [0083.566] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0083.567] GetLastError () returned 0x2 [0083.567] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\groovemui.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0083.567] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0083.567] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0083.568] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0083.568] NtClose (Handle=0x180) returned 0x0 [0083.568] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\GrooveMUI.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0083.568] CryptDestroyKey (hKey=0x2e4858) returned 1 [0083.569] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0083.569] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0083.569] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0083.569] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0083.569] ReadFile (in: hFile=0x180, lpBuffer=0xb3e220, nNumberOfBytesToRead=0x5ac, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb3e220*, lpNumberOfBytesRead=0x151f0e0*=0x5ac, lpOverlapped=0x0) returned 1 [0083.575] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x5ac, dwBufLen=0x5b4 | out: pbData=0xb2b9e0*, pdwDataLen=0x151f0d0*=0x5ac) returned 1 [0083.578] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0083.578] NtClose (Handle=0x180) returned 0x0 [0083.578] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.locked")) returned 1 [0083.579] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.locked", dwFileAttributes=0x2020) returned 1 [0083.579] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0083.579] GetLastError () returned 0x2 [0083.579] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0083.579] GetLastError () returned 0x2 [0083.579] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-00ba-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0083.579] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0083.579] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0083.580] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0083.580] NtClose (Handle=0x180) returned 0x0 [0083.580] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0083.581] CryptDestroyKey (hKey=0x2e4858) returned 1 [0083.581] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-00BA-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e4858 [0083.581] FindClose (in: hFindFile=0x2e48d8 | out: hFindFile=0x2e48d8) returned 1 [0083.581] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.582] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.582] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.582] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.582] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.582] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.582] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.582] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.582] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.582] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0083.582] GetLastError () returned 0x12 [0083.582] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0083.582] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0083.582] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f43c, lpLastWriteTime=0x151f43c) returned 0 [0083.582] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f494, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f494, lpOverlapped=0x0) returned 0 [0083.582] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e4858 [0083.587] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.587] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.587] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.587] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.587] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.588] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.588] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.588] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.588] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.588] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.588] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.588] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.588] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.588] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.588] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.588] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.588] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.588] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0083.588] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0083.588] GetLastError () returned 0x12 [0083.589] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0083.589] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0083.589] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0083.589] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0083.589] ReadFile (in: hFile=0xdc, lpBuffer=0x890020, nNumberOfBytesToRead=0x91975, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x890020*, lpNumberOfBytesRead=0x151f0e0*=0x91975, lpOverlapped=0x0) returned 1 [0083.618] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1210020*, pdwDataLen=0x151f0d0*=0x91975, dwBufLen=0x9197d | out: pbData=0x1210020*, pdwDataLen=0x151f0d0*=0x91975) returned 1 [0083.631] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0083.631] NtClose (Handle=0xdc) returned 0x0 [0083.631] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.locked")) returned 1 [0083.631] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.locked", dwFileAttributes=0x2020) returned 1 [0083.631] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0083.631] GetLastError () returned 0x2 [0083.631] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0083.632] GetLastError () returned 0x2 [0083.632] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\branding.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0083.632] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0083.632] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0083.633] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0083.633] NtClose (Handle=0xdc) returned 0x0 [0083.633] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\branding.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0083.635] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0083.636] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0083.636] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0083.636] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0083.636] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0083.637] ReadFile (in: hFile=0xdc, lpBuffer=0xb2b9e0, nNumberOfBytesToRead=0x741, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb2b9e0*, lpNumberOfBytesRead=0x151f0e0*=0x741, lpOverlapped=0x0) returned 1 [0083.644] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb427d8*, pdwDataLen=0x151f0d0*=0x741, dwBufLen=0x749 | out: pbData=0xb427d8*, pdwDataLen=0x151f0d0*=0x741) returned 1 [0083.647] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0083.647] NtClose (Handle=0xdc) returned 0x0 [0083.648] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.locked" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.locked")) returned 1 [0083.648] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.locked", dwFileAttributes=0x2020) returned 1 [0083.648] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.readme_txt", dwFileAttributes=0x80) returned 0 [0083.648] GetLastError () returned 0x2 [0083.648] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0083.648] GetLastError () returned 0x2 [0083.648] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\microsoft.vc90.crt.manifest.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0083.649] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0083.649] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0083.650] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0083.654] NtClose (Handle=0xdc) returned 0x0 [0083.655] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Microsoft.VC90.CRT.manifest.readme_txt", dwFileAttributes=0x2020) returned 1 [0083.655] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0083.655] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0083.655] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0083.655] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0083.655] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0083.656] ReadFile (in: hFile=0xdc, lpBuffer=0x18e0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0084.195] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0084.431] ReadFile (in: hFile=0xdc, lpBuffer=0x22f0020, nNumberOfBytesToRead=0x379282, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0x379282, lpOverlapped=0x0) returned 1 [0084.522] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22f0020*, pdwDataLen=0x151f0d0*=0x379282, dwBufLen=0x37928a | out: pbData=0x22f0020*, pdwDataLen=0x151f0d0*=0x379282) returned 1 [0084.582] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0084.582] NtClose (Handle=0xdc) returned 0x0 [0084.582] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.locked" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.locked")) returned 1 [0084.583] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.locked", dwFileAttributes=0x2020) returned 1 [0084.583] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.readme_txt", dwFileAttributes=0x80) returned 0 [0084.583] GetLastError () returned 0x2 [0084.583] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0084.583] GetLastError () returned 0x2 [0084.583] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officelr.cab.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0084.583] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0084.583] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0084.584] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0084.590] NtClose (Handle=0xdc) returned 0x0 [0084.591] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeLR.cab.readme_txt", dwFileAttributes=0x2020) returned 1 [0084.626] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0084.627] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0084.627] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0084.627] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0084.627] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0084.627] ReadFile (in: hFile=0xdc, lpBuffer=0x18e0020, nNumberOfBytesToRead=0x387e00, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0x387e00, lpOverlapped=0x0) returned 1 [0084.822] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2000020*, pdwDataLen=0x151f0d0*=0x387e00, dwBufLen=0x387e08 | out: pbData=0x2000020*, pdwDataLen=0x151f0d0*=0x387e00) returned 1 [0084.889] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0084.890] NtClose (Handle=0xdc) returned 0x0 [0084.890] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.locked")) returned 1 [0084.890] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.locked", dwFileAttributes=0x2020) returned 1 [0084.890] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0084.890] GetLastError () returned 0x2 [0084.890] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0084.890] GetLastError () returned 0x2 [0084.891] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0084.891] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0084.891] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0084.891] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0084.892] NtClose (Handle=0xdc) returned 0x0 [0084.892] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0084.905] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0084.905] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0084.905] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0084.905] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0084.905] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0084.905] ReadFile (in: hFile=0xdc, lpBuffer=0xb7e370, nNumberOfBytesToRead=0x15b5, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb7e370*, lpNumberOfBytesRead=0x151f0e0*=0x15b5, lpOverlapped=0x0) returned 1 [0084.917] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb53de8*, pdwDataLen=0x151f0d0*=0x15b5, dwBufLen=0x15bd | out: pbData=0xb53de8*, pdwDataLen=0x151f0d0*=0x15b5) returned 1 [0084.920] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0084.920] NtClose (Handle=0xdc) returned 0x0 [0084.921] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.locked")) returned 1 [0084.921] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.locked", dwFileAttributes=0x2020) returned 1 [0084.921] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0084.921] GetLastError () returned 0x2 [0084.921] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0084.921] GetLastError () returned 0x2 [0084.921] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemui.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0084.921] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0084.922] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0084.922] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0084.922] NtClose (Handle=0xdc) returned 0x0 [0084.923] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUI.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0084.923] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0084.923] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0084.923] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0084.923] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0084.923] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0084.924] ReadFile (in: hFile=0xdc, lpBuffer=0x1210020, nNumberOfBytesToRead=0xd4200, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x1210020*, lpNumberOfBytesRead=0x151f0e0*=0xd4200, lpOverlapped=0x0) returned 1 [0084.975] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x18e0020*, pdwDataLen=0x151f0d0*=0xd4200, dwBufLen=0xd4208 | out: pbData=0x18e0020*, pdwDataLen=0x151f0d0*=0xd4200) returned 1 [0085.232] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0085.232] NtClose (Handle=0xdc) returned 0x0 [0085.232] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.locked")) returned 1 [0085.232] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.locked", dwFileAttributes=0x2020) returned 1 [0085.233] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0085.233] GetLastError () returned 0x2 [0085.233] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0085.233] GetLastError () returned 0x2 [0085.233] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0085.741] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0085.741] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0085.741] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0085.741] NtClose (Handle=0xdc) returned 0x0 [0085.742] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0085.745] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0085.745] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0085.745] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0085.746] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0085.746] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0085.746] ReadFile (in: hFile=0xdc, lpBuffer=0xb6e658, nNumberOfBytesToRead=0x333, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb6e658*, lpNumberOfBytesRead=0x151f0e0*=0x333, lpOverlapped=0x0) returned 1 [0085.776] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb49948*, pdwDataLen=0x151f0d0*=0x333, dwBufLen=0x33b | out: pbData=0xb49948*, pdwDataLen=0x151f0d0*=0x333) returned 1 [0085.902] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0085.902] NtClose (Handle=0xdc) returned 0x0 [0085.902] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.locked")) returned 1 [0085.903] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.locked", dwFileAttributes=0x2020) returned 1 [0085.903] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0085.903] GetLastError () returned 0x2 [0085.903] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0085.904] GetLastError () returned 0x2 [0085.904] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\officemuiset.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0085.904] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0085.905] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0085.906] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0085.906] NtClose (Handle=0xdc) returned 0x0 [0085.907] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\OfficeMUISet.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0085.908] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0085.908] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0085.908] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0085.908] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0085.908] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0085.908] ReadFile (in: hFile=0xdc, lpBuffer=0xae9a40, nNumberOfBytesToRead=0x6a3b, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae9a40*, lpNumberOfBytesRead=0x151f0e0*=0x6a3b, lpOverlapped=0x0) returned 1 [0085.913] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xaf6ed0*, pdwDataLen=0x151f0d0*=0x6a3b, dwBufLen=0x6a43 | out: pbData=0xaf6ed0*, pdwDataLen=0x151f0d0*=0x6a3b) returned 1 [0085.973] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0085.973] NtClose (Handle=0xdc) returned 0x0 [0085.974] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.locked" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.locked")) returned 1 [0085.975] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.locked", dwFileAttributes=0x2020) returned 1 [0085.975] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.readme_txt", dwFileAttributes=0x80) returned 0 [0085.975] GetLastError () returned 0x2 [0085.975] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0085.975] GetLastError () returned 0x2 [0085.975] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\pss10r.chm.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0085.978] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0085.978] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0085.979] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0085.979] NtClose (Handle=0xdc) returned 0x0 [0085.980] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\pss10r.chm.readme_txt", dwFileAttributes=0x2020) returned 1 [0085.981] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0085.981] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0085.981] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0085.981] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0085.981] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0085.981] ReadFile (in: hFile=0xdc, lpBuffer=0xae9a40, nNumberOfBytesToRead=0x10676, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae9a40*, lpNumberOfBytesRead=0x151f0e0*=0x10676, lpOverlapped=0x0) returned 1 [0086.061] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xafa0c8*, pdwDataLen=0x151f0d0*=0x10676, dwBufLen=0x1067e | out: pbData=0xafa0c8*, pdwDataLen=0x151f0d0*=0x10676) returned 1 [0086.119] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0086.119] NtClose (Handle=0xdc) returned 0x0 [0086.119] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.locked" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.locked")) returned 1 [0086.122] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.locked", dwFileAttributes=0x2020) returned 1 [0086.123] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.readme_txt", dwFileAttributes=0x80) returned 0 [0086.123] GetLastError () returned 0x2 [0086.123] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0086.123] GetLastError () returned 0x2 [0086.123] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.chm.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0086.123] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0086.123] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0086.124] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0086.124] NtClose (Handle=0xdc) returned 0x0 [0086.125] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\setup.chm.readme_txt", dwFileAttributes=0x2020) returned 1 [0086.125] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0086.126] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0086.126] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0086.126] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0086.126] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0086.126] ReadFile (in: hFile=0xdc, lpBuffer=0xba14b0, nNumberOfBytesToRead=0x2488, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xba14b0*, lpNumberOfBytesRead=0x151f0e0*=0x2488, lpOverlapped=0x0) returned 1 [0086.199] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb918d0*, pdwDataLen=0x151f0d0*=0x2488, dwBufLen=0x2490 | out: pbData=0xb918d0*, pdwDataLen=0x151f0d0*=0x2488) returned 1 [0086.225] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0086.225] NtClose (Handle=0xdc) returned 0x0 [0086.225] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.locked")) returned 1 [0086.226] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.locked", dwFileAttributes=0x2020) returned 1 [0086.226] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0086.226] GetLastError () returned 0x2 [0086.226] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0086.226] GetLastError () returned 0x2 [0086.226] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0086.227] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0086.227] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0086.228] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0086.229] NtClose (Handle=0xdc) returned 0x0 [0086.241] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0086.241] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0086.242] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0086.242] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0086.242] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e48d8) returned 1 [0086.242] CryptExportKey (in: hKey=0x2e48d8, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0086.242] ReadFile (in: hFile=0xdc, lpBuffer=0xb58738, nNumberOfBytesToRead=0xe00, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb58738*, lpNumberOfBytesRead=0x151f0e0*=0xe00, lpOverlapped=0x0) returned 1 [0086.261] CryptEncrypt (in: hKey=0x2e48d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb74de8*, pdwDataLen=0x151f0d0*=0xe00, dwBufLen=0xe08 | out: pbData=0xb74de8*, pdwDataLen=0x151f0d0*=0xe00) returned 1 [0086.266] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0086.266] NtClose (Handle=0xdc) returned 0x0 [0086.266] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.locked" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.locked")) returned 1 [0086.267] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.locked", dwFileAttributes=0x2020) returned 1 [0086.267] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.readme_txt", dwFileAttributes=0x80) returned 0 [0086.267] GetLastError () returned 0x2 [0086.267] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0086.267] GetLastError () returned 0x2 [0086.267] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\shellui.mst.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xdc [0086.268] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0086.268] WriteFile (in: hFile=0xdc, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0086.268] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0086.268] NtClose (Handle=0xdc) returned 0x0 [0086.269] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\ShellUI.MST.readme_txt", dwFileAttributes=0x2020) returned 1 [0086.269] CryptDestroyKey (hKey=0x2e48d8) returned 1 [0086.269] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e48d8 [0086.269] FindClose (in: hFindFile=0x2e4858 | out: hFindFile=0x2e4858) returned 1 [0086.270] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.270] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.271] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033" (normalized: "c:\\msocache\\all users\\{90140000-0115-0409-1000-0000000ff1ce}-c\\1033"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x180 [0086.271] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f17c, lpLastWriteTime=0x151f17c) returned 0 [0086.271] DeviceIoControl (in: hDevice=0x180, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f1d4, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f1d4, lpOverlapped=0x0) returned 0 [0086.271] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*", fInfoLevelId=0x1, lpFindFileData=0x151ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151ef44) returned 0x2e4858 [0086.271] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 0 [0086.272] GetLastError () returned 0x12 [0086.272] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0115-0409-1000-0000000FF1CE}-C\\1033\\*", fInfoLevelId=0x1, lpFindFileData=0x151ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151ef44) returned 0x2e4898 [0086.272] FindClose (in: hFindFile=0x2e4858 | out: hFindFile=0x2e4858) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 0 [0086.272] GetLastError () returned 0x12 [0086.272] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.272] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.273] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.273] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.273] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.273] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.273] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.273] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.273] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.273] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.273] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.273] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.273] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.273] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.273] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.273] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0086.273] GetLastError () returned 0x12 [0086.273] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0086.274] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0xdc [0086.274] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f43c, lpLastWriteTime=0x151f43c) returned 0 [0086.274] DeviceIoControl (in: hDevice=0xdc, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f494, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f494, lpOverlapped=0x0) returned 0 [0086.274] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e48d8 [0086.275] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.276] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.276] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.276] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.276] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.276] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0086.276] GetLastError () returned 0x12 [0086.276] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0086.276] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0086.277] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4898) returned 1 [0086.277] CryptExportKey (in: hKey=0x2e4898, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0086.277] ReadFile (in: hFile=0x248, lpBuffer=0x1210020, nNumberOfBytesToRead=0xd4200, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x1210020*, lpNumberOfBytesRead=0x151f0e0*=0xd4200, lpOverlapped=0x0) returned 1 [0086.350] CryptEncrypt (in: hKey=0x2e4898, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x18e0020*, pdwDataLen=0x151f0d0*=0xd4200, dwBufLen=0xd4208 | out: pbData=0x18e0020*, pdwDataLen=0x151f0d0*=0xd4200) returned 1 [0086.374] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0086.374] NtClose (Handle=0x248) returned 0x0 [0086.374] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.locked")) returned 1 [0086.375] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.locked", dwFileAttributes=0x2020) returned 1 [0086.375] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0086.375] GetLastError () returned 0x2 [0086.375] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0086.375] GetLastError () returned 0x2 [0086.375] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0086.376] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0086.376] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0086.377] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0086.377] NtClose (Handle=0x248) returned 0x0 [0086.378] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0086.381] CryptDestroyKey (hKey=0x2e4898) returned 1 [0086.381] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0086.382] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0086.382] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4898) returned 1 [0086.382] CryptExportKey (in: hKey=0x2e4898, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0086.382] ReadFile (in: hFile=0x248, lpBuffer=0xb6e658, nNumberOfBytesToRead=0x333, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb6e658*, lpNumberOfBytesRead=0x151f0e0*=0x333, lpOverlapped=0x0) returned 1 [0086.385] CryptEncrypt (in: hKey=0x2e4898, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb49948*, pdwDataLen=0x151f0d0*=0x333, dwBufLen=0x33b | out: pbData=0xb49948*, pdwDataLen=0x151f0d0*=0x333) returned 1 [0086.388] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0086.388] NtClose (Handle=0x248) returned 0x0 [0086.388] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.locked")) returned 1 [0086.388] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.locked", dwFileAttributes=0x2020) returned 1 [0086.388] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0086.388] GetLastError () returned 0x2 [0086.389] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0086.389] GetLastError () returned 0x2 [0086.389] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\accessmuiset.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0086.389] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0086.389] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0086.390] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0086.390] NtClose (Handle=0x248) returned 0x0 [0086.390] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\AccessMUISet.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0086.390] CryptDestroyKey (hKey=0x2e4898) returned 1 [0086.391] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0086.391] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0086.391] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4898) returned 1 [0086.391] CryptExportKey (in: hKey=0x2e4898, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0086.391] ReadFile (in: hFile=0x248, lpBuffer=0xb86c38, nNumberOfBytesToRead=0xa40, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb86c38*, lpNumberOfBytesRead=0x151f0e0*=0xa40, lpOverlapped=0x0) returned 1 [0086.412] CryptEncrypt (in: hKey=0x2e4898, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb5b540*, pdwDataLen=0x151f0d0*=0xa40, dwBufLen=0xa48 | out: pbData=0xb5b540*, pdwDataLen=0x151f0d0*=0xa40) returned 1 [0086.415] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0086.415] NtClose (Handle=0x248) returned 0x0 [0086.415] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.locked")) returned 1 [0086.416] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.locked", dwFileAttributes=0x2020) returned 1 [0086.416] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0086.416] GetLastError () returned 0x2 [0086.416] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0086.416] GetLastError () returned 0x2 [0086.416] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\setup.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x248 [0086.417] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0086.417] WriteFile (in: hFile=0x248, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0086.418] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0086.418] NtClose (Handle=0x248) returned 0x0 [0086.418] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Setup.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0086.418] CryptDestroyKey (hKey=0x2e4898) returned 1 [0086.419] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e4898 [0086.419] FindClose (in: hFindFile=0x2e48d8 | out: hFindFile=0x2e48d8) returned 1 [0086.419] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.420] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0086.420] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0xdc [0086.420] SetFileTime (hFile=0xdc, lpCreationTime=0x0, lpLastAccessTime=0x151f17c, lpLastWriteTime=0x151f17c) returned 0 [0086.420] DeviceIoControl (in: hDevice=0xdc, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f1d4, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f1d4, lpOverlapped=0x0) returned 0 [0086.420] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*", fInfoLevelId=0x1, lpFindFileData=0x151ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151ef44) returned 0x2e48d8 [0086.421] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0086.422] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0086.422] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0086.422] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0086.422] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0086.422] FindNextFileW (in: hFindFile=0x2e48d8, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 0 [0086.422] GetLastError () returned 0x12 [0086.423] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0086.423] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0086.423] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151ee14 | out: phKey=0x151ee14*=0x2e4858) returned 1 [0086.423] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151ee18 | out: pbData=0xb35138*, pdwDataLen=0x151ee18*=0x8c) returned 1 [0086.423] ReadFile (in: hFile=0x180, lpBuffer=0x18e0020, nNumberOfBytesToRead=0x266a00, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151ee20*=0x266a00, lpOverlapped=0x0) returned 1 [0086.621] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1dc0020*, pdwDataLen=0x151ee10*=0x266a00, dwBufLen=0x266a08 | out: pbData=0x1dc0020*, pdwDataLen=0x151ee10*=0x266a00) returned 1 [0086.665] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0086.665] NtClose (Handle=0x180) returned 0x0 [0086.665] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.locked" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.locked")) returned 1 [0086.666] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.locked", dwFileAttributes=0x2020) returned 1 [0086.666] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0086.666] GetLastError () returned 0x2 [0086.666] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151edb0 | out: lpFileInformation=0x151edb0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151ef14, nFileSizeHigh=0x0, nFileSizeLow=0x151eee4)) returned 0 [0086.666] GetLastError () returned 0x2 [0086.666] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0086.666] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0086.667] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151ee20*=0x3a4, lpOverlapped=0x0) returned 1 [0086.667] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0086.667] NtClose (Handle=0x180) returned 0x0 [0086.669] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0086.680] CryptDestroyKey (hKey=0x2e4858) returned 1 [0086.680] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0086.680] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0086.681] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151ee14 | out: phKey=0x151ee14*=0x2e4858) returned 1 [0086.681] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151ee18 | out: pbData=0xb35138*, pdwDataLen=0x151ee18*=0x8c) returned 1 [0086.681] ReadFile (in: hFile=0x180, lpBuffer=0xb3e220, nNumberOfBytesToRead=0x545, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xb3e220*, lpNumberOfBytesRead=0x151ee20*=0x545, lpOverlapped=0x0) returned 1 [0086.685] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb2b9e0*, pdwDataLen=0x151ee10*=0x545, dwBufLen=0x54d | out: pbData=0xb2b9e0*, pdwDataLen=0x151ee10*=0x545) returned 1 [0086.695] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0086.695] NtClose (Handle=0x180) returned 0x0 [0086.695] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.locked")) returned 1 [0086.695] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.locked", dwFileAttributes=0x2020) returned 1 [0086.696] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0086.696] GetLastError () returned 0x2 [0086.696] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151edb0 | out: lpFileInformation=0x151edb0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151ef14, nFileSizeHigh=0x0, nFileSizeLow=0x151eee4)) returned 0 [0086.696] GetLastError () returned 0x2 [0086.696] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\accessmui.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0086.697] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0086.697] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151ee20*=0x3a4, lpOverlapped=0x0) returned 1 [0086.697] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0086.697] NtClose (Handle=0x180) returned 0x0 [0086.700] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccessMUI.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0086.701] CryptDestroyKey (hKey=0x2e4858) returned 1 [0086.701] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0086.701] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0086.701] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151ee14 | out: phKey=0x151ee14*=0x2e4858) returned 1 [0086.702] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151ee18 | out: pbData=0xb35138*, pdwDataLen=0x151ee18*=0x8c) returned 1 [0086.702] ReadFile (in: hFile=0x180, lpBuffer=0x18e0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151ee20*=0xa00000, lpOverlapped=0x0) returned 1 [0087.274] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151ee10*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151ee10*=0xa00000) returned 1 [0087.559] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151ee20*=0xa00000, lpOverlapped=0x0) returned 1 [0087.966] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151ee10*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151ee10*=0xa00000) returned 1 [0088.161] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0x6b7e94, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151ee20*=0x6b7e94, lpOverlapped=0x0) returned 1 [0088.358] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22f0020*, pdwDataLen=0x151ee10*=0x6b7e94, dwBufLen=0x6b7e9c | out: pbData=0x22f0020*, pdwDataLen=0x151ee10*=0x6b7e94) returned 1 [0088.499] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0088.500] NtClose (Handle=0x180) returned 0x0 [0088.500] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.locked" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.locked")) returned 1 [0088.500] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.locked", dwFileAttributes=0x2020) returned 1 [0088.500] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.readme_txt", dwFileAttributes=0x80) returned 0 [0088.500] GetLastError () returned 0x2 [0088.500] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151edb0 | out: lpFileInformation=0x151edb0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151ef14, nFileSizeHigh=0x0, nFileSizeLow=0x151eee4)) returned 0 [0088.501] GetLastError () returned 0x2 [0088.501] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\acclr.cab.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0088.501] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0088.501] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151ee20*=0x3a4, lpOverlapped=0x0) returned 1 [0088.501] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0088.502] NtClose (Handle=0x180) returned 0x0 [0088.502] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\AccLR.cab.readme_txt", dwFileAttributes=0x2020) returned 1 [0088.536] CryptDestroyKey (hKey=0x2e4858) returned 1 [0088.537] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0088.538] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0088.538] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151ee14 | out: phKey=0x151ee14*=0x2e4858) returned 1 [0088.538] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151ee18 | out: pbData=0xb35138*, pdwDataLen=0x151ee18*=0x8c) returned 1 [0088.538] ReadFile (in: hFile=0x180, lpBuffer=0x890020, nNumberOfBytesToRead=0x91975, lpNumberOfBytesRead=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0x890020*, lpNumberOfBytesRead=0x151ee20*=0x91975, lpOverlapped=0x0) returned 1 [0088.592] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1210020*, pdwDataLen=0x151ee10*=0x91975, dwBufLen=0x9197d | out: pbData=0x1210020*, pdwDataLen=0x151ee10*=0x91975) returned 1 [0088.602] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0088.602] NtClose (Handle=0x180) returned 0x0 [0088.602] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.locked" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.locked")) returned 1 [0088.602] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.locked", dwFileAttributes=0x2020) returned 1 [0088.603] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0088.603] GetLastError () returned 0x2 [0088.603] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151edb0 | out: lpFileInformation=0x151edb0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151ef14, nFileSizeHigh=0x0, nFileSizeLow=0x151eee4)) returned 0 [0088.603] GetLastError () returned 0x2 [0088.603] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{90140000-0117-0409-1000-0000000ff1ce}-c\\access.en-us\\branding.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0088.604] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151edf4, lpLastWriteTime=0x151edf4) returned 1 [0088.604] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151ee20, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151ee20*=0x3a4, lpOverlapped=0x0) returned 1 [0088.604] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151eeb8) returned 1 [0088.604] NtClose (Handle=0x180) returned 0x0 [0088.605] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\branding.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0088.607] CryptDestroyKey (hKey=0x2e4858) returned 1 [0088.607] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{90140000-0117-0409-1000-0000000FF1CE}-C\\Access.en-us\\*", fInfoLevelId=0x1, lpFindFileData=0x151ef44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151ef44) returned 0x2e4858 [0088.607] FindClose (in: hFindFile=0x2e48d8 | out: hFindFile=0x2e48d8) returned 1 [0088.607] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0088.607] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0088.607] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0088.607] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0088.608] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0088.608] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0088.608] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0088.608] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0088.608] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 1 [0088.608] FindNextFileW (in: hFindFile=0x2e4858, lpFindFileData=0x151ef44 | out: lpFindFileData=0x151ef44) returned 0 [0088.608] GetLastError () returned 0x12 [0088.608] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.608] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.608] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.608] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.608] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.608] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.608] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0088.608] GetLastError () returned 0x12 [0088.608] FindNextFileW (in: hFindFile=0x290710, lpFindFileData=0x151f4c4 | out: lpFindFileData=0x151f4c4) returned 1 [0088.609] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2200000, hTemplateFile=0x0) returned 0x248 [0088.609] SetFileTime (hFile=0x248, lpCreationTime=0x0, lpLastAccessTime=0x151f43c, lpLastWriteTime=0x151f43c) returned 0 [0088.609] DeviceIoControl (in: hDevice=0x248, dwIoControlCode=0x900a8, lpInBuffer=0x0, nInBufferSize=0x0, lpOutBuffer=0xae9a40, nOutBufferSize=0x4000, lpBytesReturned=0x151f494, lpOverlapped=0x0 | out: lpOutBuffer=0xae9a40, lpBytesReturned=0x151f494, lpOverlapped=0x0) returned 0 [0088.609] FindFirstFileExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\*", fInfoLevelId=0x1, lpFindFileData=0x151f204, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x151f204) returned 0x2e4898 [0088.613] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.614] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.614] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.614] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.614] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.614] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.614] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.614] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.614] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.614] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.614] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.614] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.614] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.614] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 1 [0088.614] FindNextFileW (in: hFindFile=0x2e4898, lpFindFileData=0x151f204 | out: lpFindFileData=0x151f204) returned 0 [0088.614] GetLastError () returned 0x12 [0088.615] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0088.615] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0088.615] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0088.616] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0088.616] ReadFile (in: hFile=0x180, lpBuffer=0x18e0020, nNumberOfBytesToRead=0x1e6600, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0x1e6600, lpOverlapped=0x0) returned 1 [0088.714] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x1cc0020*, pdwDataLen=0x151f0d0*=0x1e6600, dwBufLen=0x1e6608 | out: pbData=0x1cc0020*, pdwDataLen=0x151f0d0*=0x1e6600) returned 1 [0088.755] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0088.755] NtClose (Handle=0x180) returned 0x0 [0088.755] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.locked" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.locked")) returned 1 [0088.757] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.locked", dwFileAttributes=0x2020) returned 1 [0088.757] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0088.757] GetLastError () returned 0x2 [0088.757] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0088.757] GetLastError () returned 0x2 [0088.757] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0088.757] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0088.757] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0088.758] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0088.758] NtClose (Handle=0x180) returned 0x0 [0088.759] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0088.765] CryptDestroyKey (hKey=0x2e4858) returned 1 [0088.766] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0088.766] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0088.766] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0088.766] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0088.766] ReadFile (in: hFile=0x180, lpBuffer=0xb74de8, nNumberOfBytesToRead=0x10b2, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xb74de8*, lpNumberOfBytesRead=0x151f0e0*=0x10b2, lpOverlapped=0x0) returned 1 [0088.776] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xb7e370*, pdwDataLen=0x151f0d0*=0x10b2, dwBufLen=0x10ba | out: pbData=0xb7e370*, pdwDataLen=0x151f0d0*=0x10b2) returned 1 [0088.796] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0088.796] NtClose (Handle=0x180) returned 0x0 [0088.796] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.locked" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.locked")) returned 1 [0088.797] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.locked", dwFileAttributes=0x2020) returned 1 [0088.797] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0088.797] GetLastError () returned 0x2 [0088.797] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0088.797] GetLastError () returned 0x2 [0088.797] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\office32ww.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0088.799] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0088.799] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0088.799] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0088.799] NtClose (Handle=0x180) returned 0x0 [0088.800] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\Office32WW.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0088.800] CryptDestroyKey (hKey=0x2e4858) returned 1 [0088.801] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0088.802] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0088.802] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0088.802] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0088.802] ReadFile (in: hFile=0x180, lpBuffer=0x18e0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0089.614] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0089.830] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0090.317] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0090.769] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0091.690] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0092.104] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0x48df5c, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0x48df5c, lpOverlapped=0x0) returned 1 [0092.372] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x22f0020*, pdwDataLen=0x151f0d0*=0x48df5c, dwBufLen=0x48df64 | out: pbData=0x22f0020*, pdwDataLen=0x151f0d0*=0x48df5c) returned 1 [0092.770] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0092.770] NtClose (Handle=0x180) returned 0x0 [0092.771] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.locked" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.locked")) returned 1 [0092.771] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.locked", dwFileAttributes=0x2020) returned 1 [0092.771] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.readme_txt", dwFileAttributes=0x80) returned 0 [0092.771] GetLastError () returned 0x2 [0092.771] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0092.771] GetLastError () returned 0x2 [0092.771] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.readme_txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\owow32ww.cab.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0092.772] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0092.772] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0092.773] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0092.773] NtClose (Handle=0x180) returned 0x0 [0092.773] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\OWOW32WW.cab.readme_txt", dwFileAttributes=0x2020) returned 1 [0093.333] CryptDestroyKey (hKey=0x2e4858) returned 1 [0093.334] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0093.334] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0093.334] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0093.334] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0093.334] ReadFile (in: hFile=0x180, lpBuffer=0x890020, nNumberOfBytesToRead=0xaec3a, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x890020*, lpNumberOfBytesRead=0x151f0e0*=0xaec3a, lpOverlapped=0x0) returned 1 [0093.385] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x16b0020*, pdwDataLen=0x151f0d0*=0xaec3a, dwBufLen=0xaec42 | out: pbData=0x16b0020*, pdwDataLen=0x151f0d0*=0xaec3a) returned 1 [0093.394] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0093.394] NtClose (Handle=0x180) returned 0x0 [0093.394] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.locked" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.locked")) returned 1 [0093.395] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.locked", dwFileAttributes=0x2020) returned 1 [0093.395] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.readme_txt", dwFileAttributes=0x80) returned 0 [0093.395] GetLastError () returned 0x2 [0093.395] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.readme_txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0093.395] GetLastError () returned 0x2 [0093.395] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.readme_txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\pkeyconfig-office.xrm-ms.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0093.395] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0093.396] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0093.396] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0093.397] NtClose (Handle=0x180) returned 0x0 [0093.397] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\pkeyconfig-office.xrm-ms.readme_txt", dwFileAttributes=0x2020) returned 1 [0093.400] CryptDestroyKey (hKey=0x2e4858) returned 1 [0093.400] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0093.400] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0093.400] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0093.400] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0093.401] ReadFile (in: hFile=0x180, lpBuffer=0x18e0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0094.025] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0094.203] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0094.617] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0094.788] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0x641c00, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0x641c00, lpOverlapped=0x0) returned 1 [0094.999] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2940020*, pdwDataLen=0x151f0d0*=0x641c00, dwBufLen=0x641c08 | out: pbData=0x2940020*, pdwDataLen=0x151f0d0*=0x641c00) returned 1 [0095.112] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0095.113] NtClose (Handle=0x180) returned 0x0 [0095.113] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.locked" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.locked")) returned 1 [0095.113] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.locked", dwFileAttributes=0x2020) returned 1 [0095.113] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.readme_txt", dwFileAttributes=0x80) returned 0 [0095.114] GetLastError () returned 0x2 [0095.114] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0095.114] GetLastError () returned 0x2 [0095.114] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.readme_txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.msi.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0095.114] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0095.115] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0095.115] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0095.115] NtClose (Handle=0x180) returned 0x0 [0095.116] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.msi.readme_txt", dwFileAttributes=0x2020) returned 1 [0095.152] CryptDestroyKey (hKey=0x2e4858) returned 1 [0095.152] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0095.152] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0095.152] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0095.152] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0095.152] ReadFile (in: hFile=0x180, lpBuffer=0xae9a40, nNumberOfBytesToRead=0x41d4, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae9a40*, lpNumberOfBytesRead=0x151f0e0*=0x41d4, lpOverlapped=0x0) returned 1 [0095.155] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xaedc48*, pdwDataLen=0x151f0d0*=0x41d4, dwBufLen=0x41dc | out: pbData=0xaedc48*, pdwDataLen=0x151f0d0*=0x41d4) returned 1 [0095.199] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0095.203] NtClose (Handle=0x180) returned 0x0 [0095.205] MoveFileW (lpExistingFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml"), lpNewFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.locked" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.locked")) returned 1 [0095.240] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.locked", dwFileAttributes=0x2020) returned 1 [0095.240] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.readme_txt", dwFileAttributes=0x80) returned 0 [0095.240] GetLastError () returned 0x2 [0095.240] GetFileAttributesExW (in: lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.readme_txt"), fInfoLevelId=0x0, lpFileInformation=0x151f070 | out: lpFileInformation=0x151f070*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x868e92, ftLastWriteTime.dwLowDateTime=0x80, ftLastWriteTime.dwHighDateTime=0x151f1d4, nFileSizeHigh=0x0, nFileSizeLow=0x151f1a4)) returned 0 [0095.240] GetLastError () returned 0x2 [0095.240] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.readme_txt" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proplusrww.xml.readme_txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0095.241] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0095.241] WriteFile (in: hFile=0x180, lpBuffer=0xae7b50*, nNumberOfBytesToWrite=0x3a4, lpNumberOfBytesWritten=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0xae7b50*, lpNumberOfBytesWritten=0x151f0e0*=0x3a4, lpOverlapped=0x0) returned 1 [0095.241] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x0, lpLastWriteTime=0x151f178) returned 1 [0095.241] NtClose (Handle=0x180) returned 0x0 [0095.242] SetFileAttributesW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPlusrWW.xml.readme_txt", dwFileAttributes=0x2020) returned 1 [0095.242] CryptDestroyKey (hKey=0x2e4858) returned 1 [0095.243] CreateFileW (lpFileName="C:\\MSOCache\\All Users\\{91140000-0011-0000-1000-0000000FF1CE}-C\\ProPrWW.cab" (normalized: "c:\\msocache\\all users\\{91140000-0011-0000-1000-0000000ff1ce}-c\\proprww.cab"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x180 [0095.243] SetFileTime (hFile=0x180, lpCreationTime=0x0, lpLastAccessTime=0x151f0b4, lpLastWriteTime=0x151f0b4) returned 1 [0095.243] CryptGenKey (in: hProv=0x2889e8, Algid=0x6801, dwFlags=0x800001, phKey=0x151f0d4 | out: phKey=0x151f0d4*=0x2e4858) returned 1 [0095.243] CryptExportKey (in: hKey=0x2e4858, hExpKey=0x289ec0, dwBlobType=0x1, dwFlags=0x0, pbData=0xb35138, pdwDataLen=0x151f0d8 | out: pbData=0xb35138*, pdwDataLen=0x151f0d8*=0x8c) returned 1 [0095.243] ReadFile (in: hFile=0x180, lpBuffer=0x18e0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x18e0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0095.849] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0096.395] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0097.128] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0097.377] ReadFile (in: hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0 | out: lpBuffer=0x22f0020*, lpNumberOfBytesRead=0x151f0e0*=0xa00000, lpOverlapped=0x0) returned 1 [0098.655] CryptEncrypt (in: hKey=0x2e4858, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000, dwBufLen=0xa00008 | out: pbData=0x2d00020*, pdwDataLen=0x151f0d0*=0xa00000) returned 1 [0098.746] ReadFile (hFile=0x180, lpBuffer=0x22f0020, nNumberOfBytesToRead=0xa00000, lpNumberOfBytesRead=0x151f0e0, lpOverlapped=0x0) Thread: id = 300 os_tid = 0x9f0 [0037.007] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3f8f8*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.007] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.007] GetFileType (hFile=0x148) returned 0x0 [0037.007] ResetEvent (hEvent=0x104) returned 1 [0037.007] SetEvent (hEvent=0x108) returned 1 [0037.007] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3f8f8*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.007] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.008] GetFileType (hFile=0x148) returned 0x3 [0037.008] ResetEvent (hEvent=0x104) returned 1 [0037.008] SetEvent (hEvent=0x108) returned 1 [0037.008] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3f8f8*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.008] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.008] GetFileType (hFile=0x148) returned 0x0 [0037.008] ResetEvent (hEvent=0x104) returned 1 [0037.008] SetEvent (hEvent=0x108) returned 1 [0037.008] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3f8f8*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.008] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.008] GetFileType (hFile=0x148) returned 0x3 [0037.008] ResetEvent (hEvent=0x104) returned 1 [0037.008] SetEvent (hEvent=0x108) returned 1 [0037.009] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3f8f8*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.009] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.009] GetFileType (hFile=0x148) returned 0x0 [0037.009] ResetEvent (hEvent=0x104) returned 1 [0037.009] SetEvent (hEvent=0x108) returned 1 [0037.009] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3f8f8*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.009] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.009] GetFileType (hFile=0x148) returned 0x3 [0037.009] ResetEvent (hEvent=0x104) returned 1 [0037.009] SetEvent (hEvent=0x108) returned 1 [0037.009] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3f8f8*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.009] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.009] GetFileType (hFile=0x148) returned 0x0 [0037.009] ResetEvent (hEvent=0x104) returned 1 [0037.009] SetEvent (hEvent=0x108) returned 1 [0037.010] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3f8f8*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.010] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.010] ResetEvent (hEvent=0x104) returned 1 [0037.010] SetEvent (hEvent=0x108) returned 1 [0037.010] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3f8f8*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.010] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.010] ResetEvent (hEvent=0x104) returned 1 [0037.010] SetEvent (hEvent=0x108) returned 1 [0037.010] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3f8f8*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.010] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.010] ResetEvent (hEvent=0x104) returned 1 [0037.010] SetEvent (hEvent=0x108) returned 1 [0037.011] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3f8f8*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.011] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.011] ResetEvent (hEvent=0x104) returned 1 [0037.011] SetEvent (hEvent=0x108) returned 1 [0037.011] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3f8f8*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.011] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.012] MapViewOfFile (hFileMappingObject=0x148, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.012] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.012] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.012] ResetEvent (hEvent=0x104) returned 1 [0037.012] SetEvent (hEvent=0x108) returned 1 [0037.012] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.012] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.012] ResetEvent (hEvent=0x104) returned 1 [0037.012] SetEvent (hEvent=0x108) returned 1 [0037.013] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.013] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.013] ResetEvent (hEvent=0x104) returned 1 [0037.013] SetEvent (hEvent=0x108) returned 1 [0037.013] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.013] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.013] ResetEvent (hEvent=0x104) returned 1 [0037.013] SetEvent (hEvent=0x108) returned 1 [0037.013] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.013] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.013] ResetEvent (hEvent=0x104) returned 1 [0037.013] SetEvent (hEvent=0x108) returned 1 [0037.019] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.019] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.019] ResetEvent (hEvent=0x104) returned 1 [0037.019] SetEvent (hEvent=0x108) returned 1 [0037.019] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.019] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.019] ResetEvent (hEvent=0x104) returned 1 [0037.019] SetEvent (hEvent=0x108) returned 1 [0037.019] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.019] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.019] ResetEvent (hEvent=0x104) returned 1 [0037.019] SetEvent (hEvent=0x108) returned 1 [0037.020] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.020] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.020] ResetEvent (hEvent=0x104) returned 1 [0037.020] SetEvent (hEvent=0x108) returned 1 [0037.020] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.020] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.020] ResetEvent (hEvent=0x104) returned 1 [0037.020] SetEvent (hEvent=0x108) returned 1 [0037.020] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.020] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.020] ResetEvent (hEvent=0x104) returned 1 [0037.020] SetEvent (hEvent=0x108) returned 1 [0037.021] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.021] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.021] ResetEvent (hEvent=0x104) returned 1 [0037.021] SetEvent (hEvent=0x108) returned 1 [0037.021] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.021] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.021] ResetEvent (hEvent=0x104) returned 1 [0037.021] SetEvent (hEvent=0x108) returned 1 [0037.021] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.021] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.021] ResetEvent (hEvent=0x104) returned 1 [0037.021] SetEvent (hEvent=0x108) returned 1 [0037.022] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.022] NtQueryObject (in: Handle=0x148, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.022] ResetEvent (hEvent=0x104) returned 1 [0037.022] SetEvent (hEvent=0x108) returned 1 [0037.022] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.022] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.022] ResetEvent (hEvent=0x104) returned 1 [0037.022] SetEvent (hEvent=0x108) returned 1 [0037.022] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.022] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.023] ResetEvent (hEvent=0x104) returned 1 [0037.023] SetEvent (hEvent=0x108) returned 1 [0037.023] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.023] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.023] ResetEvent (hEvent=0x104) returned 1 [0037.023] SetEvent (hEvent=0x108) returned 1 [0037.023] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.023] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.023] ResetEvent (hEvent=0x104) returned 1 [0037.023] SetEvent (hEvent=0x108) returned 1 [0037.023] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.024] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.024] ResetEvent (hEvent=0x104) returned 1 [0037.024] SetEvent (hEvent=0x108) returned 1 [0037.024] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.024] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.024] ResetEvent (hEvent=0x104) returned 1 [0037.024] SetEvent (hEvent=0x108) returned 1 [0037.024] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.024] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.024] ResetEvent (hEvent=0x104) returned 1 [0037.024] SetEvent (hEvent=0x108) returned 1 [0037.024] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.024] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.024] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.025] ResetEvent (hEvent=0x104) returned 1 [0037.025] SetEvent (hEvent=0x108) returned 1 [0037.025] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.025] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.025] ResetEvent (hEvent=0x104) returned 1 [0037.025] SetEvent (hEvent=0x108) returned 1 [0037.025] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.025] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.025] ResetEvent (hEvent=0x104) returned 1 [0037.025] SetEvent (hEvent=0x108) returned 1 [0037.025] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.025] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.026] ResetEvent (hEvent=0x104) returned 1 [0037.026] SetEvent (hEvent=0x108) returned 1 [0037.026] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.026] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.026] ResetEvent (hEvent=0x104) returned 1 [0037.026] SetEvent (hEvent=0x108) returned 1 [0037.027] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.027] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.027] ResetEvent (hEvent=0x104) returned 1 [0037.027] SetEvent (hEvent=0x108) returned 1 [0037.027] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.027] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.027] ResetEvent (hEvent=0x104) returned 1 [0037.027] SetEvent (hEvent=0x108) returned 1 [0037.027] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.027] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.027] ResetEvent (hEvent=0x104) returned 1 [0037.027] SetEvent (hEvent=0x108) returned 1 [0037.028] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.028] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.028] ResetEvent (hEvent=0x104) returned 1 [0037.028] SetEvent (hEvent=0x108) returned 1 [0037.028] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.028] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.028] ResetEvent (hEvent=0x104) returned 1 [0037.028] SetEvent (hEvent=0x108) returned 1 [0037.028] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.028] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.028] ResetEvent (hEvent=0x104) returned 1 [0037.028] SetEvent (hEvent=0x108) returned 1 [0037.029] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.029] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.029] ResetEvent (hEvent=0x104) returned 1 [0037.029] SetEvent (hEvent=0x108) returned 1 [0037.029] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.029] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.029] ResetEvent (hEvent=0x104) returned 1 [0037.029] SetEvent (hEvent=0x108) returned 1 [0037.029] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.029] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.029] ResetEvent (hEvent=0x104) returned 1 [0037.029] SetEvent (hEvent=0x108) returned 1 [0037.030] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.030] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.030] ResetEvent (hEvent=0x104) returned 1 [0037.030] SetEvent (hEvent=0x108) returned 1 [0037.030] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.030] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.030] ResetEvent (hEvent=0x104) returned 1 [0037.030] SetEvent (hEvent=0x108) returned 1 [0037.030] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.030] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.030] ResetEvent (hEvent=0x104) returned 1 [0037.030] SetEvent (hEvent=0x108) returned 1 [0037.031] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.031] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.031] ResetEvent (hEvent=0x104) returned 1 [0037.031] SetEvent (hEvent=0x108) returned 1 [0037.031] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.031] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.031] ResetEvent (hEvent=0x104) returned 1 [0037.031] SetEvent (hEvent=0x108) returned 1 [0037.031] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.031] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.031] ResetEvent (hEvent=0x104) returned 1 [0037.031] SetEvent (hEvent=0x108) returned 1 [0037.032] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.032] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.032] ResetEvent (hEvent=0x104) returned 1 [0037.032] SetEvent (hEvent=0x108) returned 1 [0037.032] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.032] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.032] ResetEvent (hEvent=0x104) returned 1 [0037.032] SetEvent (hEvent=0x108) returned 1 [0037.032] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.032] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.032] ResetEvent (hEvent=0x104) returned 1 [0037.032] SetEvent (hEvent=0x108) returned 1 [0037.033] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.033] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.033] ResetEvent (hEvent=0x104) returned 1 [0037.033] SetEvent (hEvent=0x108) returned 1 [0037.033] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.033] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.033] ResetEvent (hEvent=0x104) returned 1 [0037.033] SetEvent (hEvent=0x108) returned 1 [0037.033] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.033] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.033] ResetEvent (hEvent=0x104) returned 1 [0037.033] SetEvent (hEvent=0x108) returned 1 [0037.034] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.034] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.034] ResetEvent (hEvent=0x104) returned 1 [0037.034] SetEvent (hEvent=0x108) returned 1 [0037.034] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.034] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.034] ResetEvent (hEvent=0x104) returned 1 [0037.034] SetEvent (hEvent=0x108) returned 1 [0037.034] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.034] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.034] ResetEvent (hEvent=0x104) returned 1 [0037.034] SetEvent (hEvent=0x108) returned 1 [0037.035] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.035] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.035] ResetEvent (hEvent=0x104) returned 1 [0037.035] SetEvent (hEvent=0x108) returned 1 [0037.035] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.035] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.035] ResetEvent (hEvent=0x104) returned 1 [0037.035] SetEvent (hEvent=0x108) returned 1 [0037.035] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.035] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.035] ResetEvent (hEvent=0x104) returned 1 [0037.035] SetEvent (hEvent=0x108) returned 1 [0037.036] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.036] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.036] ResetEvent (hEvent=0x104) returned 1 [0037.036] SetEvent (hEvent=0x108) returned 1 [0037.036] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.036] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.036] ResetEvent (hEvent=0x104) returned 1 [0037.036] SetEvent (hEvent=0x108) returned 1 [0037.036] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.036] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.036] ResetEvent (hEvent=0x104) returned 1 [0037.036] SetEvent (hEvent=0x108) returned 1 [0037.037] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.037] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.037] ResetEvent (hEvent=0x104) returned 1 [0037.037] SetEvent (hEvent=0x108) returned 1 [0037.037] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.037] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.037] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.037] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.037] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.037] ResetEvent (hEvent=0x104) returned 1 [0037.037] SetEvent (hEvent=0x108) returned 1 [0037.038] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.038] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.038] ResetEvent (hEvent=0x104) returned 1 [0037.038] SetEvent (hEvent=0x108) returned 1 [0037.038] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.038] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.038] ResetEvent (hEvent=0x104) returned 1 [0037.038] SetEvent (hEvent=0x108) returned 1 [0037.038] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.038] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.038] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.038] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.038] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.039] ResetEvent (hEvent=0x104) returned 1 [0037.039] SetEvent (hEvent=0x108) returned 1 [0037.039] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.039] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.039] ResetEvent (hEvent=0x104) returned 1 [0037.039] SetEvent (hEvent=0x108) returned 1 [0037.039] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.039] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.039] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.039] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.039] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.039] ResetEvent (hEvent=0x104) returned 1 [0037.039] SetEvent (hEvent=0x108) returned 1 [0037.040] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.040] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.040] ResetEvent (hEvent=0x104) returned 1 [0037.040] SetEvent (hEvent=0x108) returned 1 [0037.040] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.040] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.040] ResetEvent (hEvent=0x104) returned 1 [0037.040] SetEvent (hEvent=0x108) returned 1 [0037.040] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.040] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.040] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.041] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.041] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.041] ResetEvent (hEvent=0x104) returned 1 [0037.041] SetEvent (hEvent=0x108) returned 1 [0037.041] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.041] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.041] ResetEvent (hEvent=0x104) returned 1 [0037.041] SetEvent (hEvent=0x108) returned 1 [0037.041] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.041] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.041] ResetEvent (hEvent=0x104) returned 1 [0037.041] SetEvent (hEvent=0x108) returned 1 [0037.042] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.042] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.042] ResetEvent (hEvent=0x104) returned 1 [0037.042] SetEvent (hEvent=0x108) returned 1 [0037.042] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.042] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.042] ResetEvent (hEvent=0x104) returned 1 [0037.042] SetEvent (hEvent=0x108) returned 1 [0037.043] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.043] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.043] ResetEvent (hEvent=0x104) returned 1 [0037.043] SetEvent (hEvent=0x108) returned 1 [0037.043] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.043] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.043] ResetEvent (hEvent=0x104) returned 1 [0037.043] SetEvent (hEvent=0x108) returned 1 [0037.043] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.043] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.043] ResetEvent (hEvent=0x104) returned 1 [0037.043] SetEvent (hEvent=0x108) returned 1 [0037.044] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.044] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.044] ResetEvent (hEvent=0x104) returned 1 [0037.044] SetEvent (hEvent=0x108) returned 1 [0037.044] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.044] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.044] ResetEvent (hEvent=0x104) returned 1 [0037.044] SetEvent (hEvent=0x108) returned 1 [0037.044] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.044] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.044] ResetEvent (hEvent=0x104) returned 1 [0037.044] SetEvent (hEvent=0x108) returned 1 [0037.045] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.045] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.045] ResetEvent (hEvent=0x104) returned 1 [0037.045] SetEvent (hEvent=0x108) returned 1 [0037.045] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.045] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.045] ResetEvent (hEvent=0x104) returned 1 [0037.045] SetEvent (hEvent=0x108) returned 1 [0037.045] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.045] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.045] ResetEvent (hEvent=0x104) returned 1 [0037.045] SetEvent (hEvent=0x108) returned 1 [0037.046] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.046] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.046] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.046] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.046] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.046] ResetEvent (hEvent=0x104) returned 1 [0037.046] SetEvent (hEvent=0x108) returned 1 [0037.046] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.046] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.046] ResetEvent (hEvent=0x104) returned 1 [0037.046] SetEvent (hEvent=0x108) returned 1 [0037.046] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.047] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.047] ResetEvent (hEvent=0x104) returned 1 [0037.047] SetEvent (hEvent=0x108) returned 1 [0037.047] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.047] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.047] ResetEvent (hEvent=0x104) returned 1 [0037.047] SetEvent (hEvent=0x108) returned 1 [0037.047] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.047] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.047] ResetEvent (hEvent=0x104) returned 1 [0037.047] SetEvent (hEvent=0x108) returned 1 [0037.048] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.048] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.048] ResetEvent (hEvent=0x104) returned 1 [0037.048] SetEvent (hEvent=0x108) returned 1 [0037.048] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.048] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.048] ResetEvent (hEvent=0x104) returned 1 [0037.048] SetEvent (hEvent=0x108) returned 1 [0037.048] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.048] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.048] ResetEvent (hEvent=0x104) returned 1 [0037.048] SetEvent (hEvent=0x108) returned 1 [0037.048] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.049] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.049] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.049] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.049] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.049] ResetEvent (hEvent=0x104) returned 1 [0037.049] SetEvent (hEvent=0x108) returned 1 [0037.049] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.049] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.049] ResetEvent (hEvent=0x104) returned 1 [0037.049] SetEvent (hEvent=0x108) returned 1 [0037.049] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.049] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.049] ResetEvent (hEvent=0x104) returned 1 [0037.049] SetEvent (hEvent=0x108) returned 1 [0037.050] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.050] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.050] ResetEvent (hEvent=0x104) returned 1 [0037.050] SetEvent (hEvent=0x108) returned 1 [0037.050] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.050] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.050] ResetEvent (hEvent=0x104) returned 1 [0037.050] SetEvent (hEvent=0x108) returned 1 [0037.050] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.050] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.050] ResetEvent (hEvent=0x104) returned 1 [0037.050] SetEvent (hEvent=0x108) returned 1 [0037.051] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.051] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.051] ResetEvent (hEvent=0x104) returned 1 [0037.051] SetEvent (hEvent=0x108) returned 1 [0037.051] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.051] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.051] ResetEvent (hEvent=0x104) returned 1 [0037.051] SetEvent (hEvent=0x108) returned 1 [0037.051] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.051] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.051] ResetEvent (hEvent=0x104) returned 1 [0037.051] SetEvent (hEvent=0x108) returned 1 [0037.052] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.052] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.052] ResetEvent (hEvent=0x104) returned 1 [0037.052] SetEvent (hEvent=0x108) returned 1 [0037.052] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.052] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.052] ResetEvent (hEvent=0x104) returned 1 [0037.052] SetEvent (hEvent=0x108) returned 1 [0037.055] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.055] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.055] ResetEvent (hEvent=0x104) returned 1 [0037.055] SetEvent (hEvent=0x108) returned 1 [0037.055] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.055] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.055] ResetEvent (hEvent=0x104) returned 1 [0037.055] SetEvent (hEvent=0x108) returned 1 [0037.055] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.055] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.055] ResetEvent (hEvent=0x104) returned 1 [0037.055] SetEvent (hEvent=0x108) returned 1 [0037.056] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.056] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.056] ResetEvent (hEvent=0x104) returned 1 [0037.056] SetEvent (hEvent=0x108) returned 1 [0037.056] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.056] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.056] ResetEvent (hEvent=0x104) returned 1 [0037.056] SetEvent (hEvent=0x108) returned 1 [0037.056] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.056] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.056] ResetEvent (hEvent=0x104) returned 1 [0037.056] SetEvent (hEvent=0x108) returned 1 [0037.057] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.057] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.057] ResetEvent (hEvent=0x104) returned 1 [0037.057] SetEvent (hEvent=0x108) returned 1 [0037.057] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.057] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.057] ResetEvent (hEvent=0x104) returned 1 [0037.057] SetEvent (hEvent=0x108) returned 1 [0037.057] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.057] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.057] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.058] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.058] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.058] ResetEvent (hEvent=0x104) returned 1 [0037.058] SetEvent (hEvent=0x108) returned 1 [0037.058] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.058] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.058] ResetEvent (hEvent=0x104) returned 1 [0037.058] SetEvent (hEvent=0x108) returned 1 [0037.058] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.058] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.058] ResetEvent (hEvent=0x104) returned 1 [0037.058] SetEvent (hEvent=0x108) returned 1 [0037.059] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.059] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.059] ResetEvent (hEvent=0x104) returned 1 [0037.059] SetEvent (hEvent=0x108) returned 1 [0037.059] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.059] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.059] ResetEvent (hEvent=0x104) returned 1 [0037.059] SetEvent (hEvent=0x108) returned 1 [0037.059] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.059] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.059] ResetEvent (hEvent=0x104) returned 1 [0037.059] SetEvent (hEvent=0x108) returned 1 [0037.060] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.060] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.060] ResetEvent (hEvent=0x104) returned 1 [0037.060] SetEvent (hEvent=0x108) returned 1 [0037.060] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.060] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.060] ResetEvent (hEvent=0x104) returned 1 [0037.060] SetEvent (hEvent=0x108) returned 1 [0037.060] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.060] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.060] ResetEvent (hEvent=0x104) returned 1 [0037.060] SetEvent (hEvent=0x108) returned 1 [0037.061] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.061] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.061] ResetEvent (hEvent=0x104) returned 1 [0037.061] SetEvent (hEvent=0x108) returned 1 [0037.061] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.061] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.061] ResetEvent (hEvent=0x104) returned 1 [0037.061] SetEvent (hEvent=0x108) returned 1 [0037.061] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.061] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.061] ResetEvent (hEvent=0x104) returned 1 [0037.061] SetEvent (hEvent=0x108) returned 1 [0037.062] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.062] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.062] ResetEvent (hEvent=0x104) returned 1 [0037.062] SetEvent (hEvent=0x108) returned 1 [0037.062] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.062] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.062] ResetEvent (hEvent=0x104) returned 1 [0037.062] SetEvent (hEvent=0x108) returned 1 [0037.062] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.062] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.062] ResetEvent (hEvent=0x104) returned 1 [0037.062] SetEvent (hEvent=0x108) returned 1 [0037.063] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.063] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.063] ResetEvent (hEvent=0x104) returned 1 [0037.063] SetEvent (hEvent=0x108) returned 1 [0037.063] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.063] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.063] ResetEvent (hEvent=0x104) returned 1 [0037.063] SetEvent (hEvent=0x108) returned 1 [0037.063] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.063] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.063] ResetEvent (hEvent=0x104) returned 1 [0037.063] SetEvent (hEvent=0x108) returned 1 [0037.064] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.064] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.064] ResetEvent (hEvent=0x104) returned 1 [0037.064] SetEvent (hEvent=0x108) returned 1 [0037.064] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.064] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.064] ResetEvent (hEvent=0x104) returned 1 [0037.064] SetEvent (hEvent=0x108) returned 1 [0037.064] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.064] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.064] ResetEvent (hEvent=0x104) returned 1 [0037.064] SetEvent (hEvent=0x108) returned 1 [0037.064] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.065] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.065] ResetEvent (hEvent=0x104) returned 1 [0037.065] SetEvent (hEvent=0x108) returned 1 [0037.065] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.065] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.065] ResetEvent (hEvent=0x104) returned 1 [0037.065] SetEvent (hEvent=0x108) returned 1 [0037.065] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.065] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.065] ResetEvent (hEvent=0x104) returned 1 [0037.065] SetEvent (hEvent=0x108) returned 1 [0037.065] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.066] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.066] ResetEvent (hEvent=0x104) returned 1 [0037.066] SetEvent (hEvent=0x108) returned 1 [0037.066] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.066] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.066] ResetEvent (hEvent=0x104) returned 1 [0037.066] SetEvent (hEvent=0x108) returned 1 [0037.066] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.066] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.066] ResetEvent (hEvent=0x104) returned 1 [0037.066] SetEvent (hEvent=0x108) returned 1 [0037.066] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.066] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.067] ResetEvent (hEvent=0x104) returned 1 [0037.067] SetEvent (hEvent=0x108) returned 1 [0037.067] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.067] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.067] ResetEvent (hEvent=0x104) returned 1 [0037.067] SetEvent (hEvent=0x108) returned 1 [0037.067] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.067] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.067] ResetEvent (hEvent=0x104) returned 1 [0037.067] SetEvent (hEvent=0x108) returned 1 [0037.122] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.123] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.123] ResetEvent (hEvent=0x104) returned 1 [0037.123] SetEvent (hEvent=0x108) returned 1 [0037.123] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.123] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.123] ResetEvent (hEvent=0x104) returned 1 [0037.123] SetEvent (hEvent=0x108) returned 1 [0037.123] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.123] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.123] ResetEvent (hEvent=0x104) returned 1 [0037.123] SetEvent (hEvent=0x108) returned 1 [0037.124] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.124] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.124] ResetEvent (hEvent=0x104) returned 1 [0037.124] SetEvent (hEvent=0x108) returned 1 [0037.124] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.124] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.124] ResetEvent (hEvent=0x104) returned 1 [0037.124] SetEvent (hEvent=0x108) returned 1 [0037.124] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.124] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.124] ResetEvent (hEvent=0x104) returned 1 [0037.124] SetEvent (hEvent=0x108) returned 1 [0037.125] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.125] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.125] ResetEvent (hEvent=0x104) returned 1 [0037.125] SetEvent (hEvent=0x108) returned 1 [0037.125] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.125] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.125] ResetEvent (hEvent=0x104) returned 1 [0037.125] SetEvent (hEvent=0x108) returned 1 [0037.125] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.125] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.125] ResetEvent (hEvent=0x104) returned 1 [0037.125] SetEvent (hEvent=0x108) returned 1 [0037.126] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.126] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.126] ResetEvent (hEvent=0x104) returned 1 [0037.126] SetEvent (hEvent=0x108) returned 1 [0037.126] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.126] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.126] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.126] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.126] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.126] ResetEvent (hEvent=0x104) returned 1 [0037.126] SetEvent (hEvent=0x108) returned 1 [0037.127] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.127] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.127] ResetEvent (hEvent=0x104) returned 1 [0037.127] SetEvent (hEvent=0x108) returned 1 [0037.127] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.127] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.127] ResetEvent (hEvent=0x104) returned 1 [0037.127] SetEvent (hEvent=0x108) returned 1 [0037.127] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.127] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.127] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.127] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.128] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.128] ResetEvent (hEvent=0x104) returned 1 [0037.128] SetEvent (hEvent=0x108) returned 1 [0037.128] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.128] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.128] ResetEvent (hEvent=0x104) returned 1 [0037.128] SetEvent (hEvent=0x108) returned 1 [0037.128] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.128] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.128] ResetEvent (hEvent=0x104) returned 1 [0037.128] SetEvent (hEvent=0x108) returned 1 [0037.129] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.129] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.129] ResetEvent (hEvent=0x104) returned 1 [0037.129] SetEvent (hEvent=0x108) returned 1 [0037.129] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.129] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.129] ResetEvent (hEvent=0x104) returned 1 [0037.129] SetEvent (hEvent=0x108) returned 1 [0037.129] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.129] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.129] ResetEvent (hEvent=0x104) returned 1 [0037.129] SetEvent (hEvent=0x108) returned 1 [0037.130] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.130] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.130] ResetEvent (hEvent=0x104) returned 1 [0037.130] SetEvent (hEvent=0x108) returned 1 [0037.130] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.130] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.130] ResetEvent (hEvent=0x104) returned 1 [0037.130] SetEvent (hEvent=0x108) returned 1 [0037.130] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.130] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.130] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.130] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.130] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.131] ResetEvent (hEvent=0x104) returned 1 [0037.131] SetEvent (hEvent=0x108) returned 1 [0037.131] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.131] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.131] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.131] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.131] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.131] ResetEvent (hEvent=0x104) returned 1 [0037.131] SetEvent (hEvent=0x108) returned 1 [0037.131] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.131] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.131] ResetEvent (hEvent=0x104) returned 1 [0037.131] SetEvent (hEvent=0x108) returned 1 [0037.132] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.132] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.132] ResetEvent (hEvent=0x104) returned 1 [0037.132] SetEvent (hEvent=0x108) returned 1 [0037.132] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.132] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.132] ResetEvent (hEvent=0x104) returned 1 [0037.132] SetEvent (hEvent=0x108) returned 1 [0037.132] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.132] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.132] ResetEvent (hEvent=0x104) returned 1 [0037.132] SetEvent (hEvent=0x108) returned 1 [0037.133] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.133] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.133] ResetEvent (hEvent=0x104) returned 1 [0037.133] SetEvent (hEvent=0x108) returned 1 [0037.133] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.133] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.133] ResetEvent (hEvent=0x104) returned 1 [0037.133] SetEvent (hEvent=0x108) returned 1 [0037.133] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.133] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.133] ResetEvent (hEvent=0x104) returned 1 [0037.133] SetEvent (hEvent=0x108) returned 1 [0037.134] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.134] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.134] ResetEvent (hEvent=0x104) returned 1 [0037.134] SetEvent (hEvent=0x108) returned 1 [0037.134] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.134] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.134] ResetEvent (hEvent=0x104) returned 1 [0037.134] SetEvent (hEvent=0x108) returned 1 [0037.134] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.134] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.134] ResetEvent (hEvent=0x104) returned 1 [0037.134] SetEvent (hEvent=0x108) returned 1 [0037.135] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.135] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.135] ResetEvent (hEvent=0x104) returned 1 [0037.135] SetEvent (hEvent=0x108) returned 1 [0037.135] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.135] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.135] ResetEvent (hEvent=0x104) returned 1 [0037.135] SetEvent (hEvent=0x108) returned 1 [0037.136] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.136] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.136] ResetEvent (hEvent=0x104) returned 1 [0037.136] SetEvent (hEvent=0x108) returned 1 [0037.136] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.136] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.136] ResetEvent (hEvent=0x104) returned 1 [0037.136] SetEvent (hEvent=0x108) returned 1 [0037.136] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.136] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.136] ResetEvent (hEvent=0x104) returned 1 [0037.137] SetEvent (hEvent=0x108) returned 1 [0037.137] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.137] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.137] ResetEvent (hEvent=0x104) returned 1 [0037.137] SetEvent (hEvent=0x108) returned 1 [0037.137] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.137] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.137] ResetEvent (hEvent=0x104) returned 1 [0037.137] SetEvent (hEvent=0x108) returned 1 [0037.137] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.137] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.137] ResetEvent (hEvent=0x104) returned 1 [0037.138] SetEvent (hEvent=0x108) returned 1 [0037.138] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.138] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.138] ResetEvent (hEvent=0x104) returned 1 [0037.138] SetEvent (hEvent=0x108) returned 1 [0037.138] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.138] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.138] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.138] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.138] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.138] ResetEvent (hEvent=0x104) returned 1 [0037.138] SetEvent (hEvent=0x108) returned 1 [0037.139] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.139] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.139] ResetEvent (hEvent=0x104) returned 1 [0037.139] SetEvent (hEvent=0x108) returned 1 [0037.139] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.139] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.139] ResetEvent (hEvent=0x104) returned 1 [0037.139] SetEvent (hEvent=0x108) returned 1 [0037.139] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.139] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.139] ResetEvent (hEvent=0x104) returned 1 [0037.139] SetEvent (hEvent=0x108) returned 1 [0037.140] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.140] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.140] ResetEvent (hEvent=0x104) returned 1 [0037.140] SetEvent (hEvent=0x108) returned 1 [0037.140] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.140] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.140] ResetEvent (hEvent=0x104) returned 1 [0037.140] SetEvent (hEvent=0x108) returned 1 [0037.140] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.140] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.140] ResetEvent (hEvent=0x104) returned 1 [0037.140] SetEvent (hEvent=0x108) returned 1 [0037.141] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.141] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.141] ResetEvent (hEvent=0x104) returned 1 [0037.141] SetEvent (hEvent=0x108) returned 1 [0037.141] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.141] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.141] ResetEvent (hEvent=0x104) returned 1 [0037.141] SetEvent (hEvent=0x108) returned 1 [0037.141] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.141] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.141] ResetEvent (hEvent=0x104) returned 1 [0037.141] SetEvent (hEvent=0x108) returned 1 [0037.142] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.142] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.142] ResetEvent (hEvent=0x104) returned 1 [0037.142] SetEvent (hEvent=0x108) returned 1 [0037.142] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.142] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.142] ResetEvent (hEvent=0x104) returned 1 [0037.142] SetEvent (hEvent=0x108) returned 1 [0037.142] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.142] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.142] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.143] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.143] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.143] ResetEvent (hEvent=0x104) returned 1 [0037.143] SetEvent (hEvent=0x108) returned 1 [0037.143] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.143] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.143] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.143] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.143] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.143] ResetEvent (hEvent=0x104) returned 1 [0037.143] SetEvent (hEvent=0x108) returned 1 [0037.144] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.144] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.144] ResetEvent (hEvent=0x104) returned 1 [0037.144] SetEvent (hEvent=0x108) returned 1 [0037.144] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.144] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.144] ResetEvent (hEvent=0x104) returned 1 [0037.144] SetEvent (hEvent=0x108) returned 1 [0037.144] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.144] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.144] ResetEvent (hEvent=0x104) returned 1 [0037.144] SetEvent (hEvent=0x108) returned 1 [0037.145] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.145] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.145] ResetEvent (hEvent=0x104) returned 1 [0037.145] SetEvent (hEvent=0x108) returned 1 [0037.145] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.145] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.145] ResetEvent (hEvent=0x104) returned 1 [0037.145] SetEvent (hEvent=0x108) returned 1 [0037.145] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.145] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.145] ResetEvent (hEvent=0x104) returned 1 [0037.145] SetEvent (hEvent=0x108) returned 1 [0037.145] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.146] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.146] ResetEvent (hEvent=0x104) returned 1 [0037.146] SetEvent (hEvent=0x108) returned 1 [0037.146] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.146] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.146] ResetEvent (hEvent=0x104) returned 1 [0037.146] SetEvent (hEvent=0x108) returned 1 [0037.146] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.146] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.146] ResetEvent (hEvent=0x104) returned 1 [0037.146] SetEvent (hEvent=0x108) returned 1 [0037.146] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.147] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.147] ResetEvent (hEvent=0x104) returned 1 [0037.147] SetEvent (hEvent=0x108) returned 1 [0037.147] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.147] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.147] ResetEvent (hEvent=0x104) returned 1 [0037.147] SetEvent (hEvent=0x108) returned 1 [0037.147] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.147] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.147] ResetEvent (hEvent=0x104) returned 1 [0037.147] SetEvent (hEvent=0x108) returned 1 [0037.147] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.148] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.148] ResetEvent (hEvent=0x104) returned 1 [0037.148] SetEvent (hEvent=0x108) returned 1 [0037.148] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.148] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.148] ResetEvent (hEvent=0x104) returned 1 [0037.148] SetEvent (hEvent=0x108) returned 1 [0037.148] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.148] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.148] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.148] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.148] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.149] ResetEvent (hEvent=0x104) returned 1 [0037.149] SetEvent (hEvent=0x108) returned 1 [0037.149] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.149] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.149] ResetEvent (hEvent=0x104) returned 1 [0037.149] SetEvent (hEvent=0x108) returned 1 [0037.149] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.149] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.149] ResetEvent (hEvent=0x104) returned 1 [0037.149] SetEvent (hEvent=0x108) returned 1 [0037.149] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.150] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.150] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.150] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.150] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.150] ResetEvent (hEvent=0x104) returned 1 [0037.150] SetEvent (hEvent=0x108) returned 1 [0037.150] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.150] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.150] ResetEvent (hEvent=0x104) returned 1 [0037.150] SetEvent (hEvent=0x108) returned 1 [0037.150] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.150] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.150] ResetEvent (hEvent=0x104) returned 1 [0037.150] SetEvent (hEvent=0x108) returned 1 [0037.151] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.151] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.151] ResetEvent (hEvent=0x104) returned 1 [0037.151] SetEvent (hEvent=0x108) returned 1 [0037.151] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.151] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.151] ResetEvent (hEvent=0x104) returned 1 [0037.151] SetEvent (hEvent=0x108) returned 1 [0037.152] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.152] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.152] ResetEvent (hEvent=0x104) returned 1 [0037.152] SetEvent (hEvent=0x108) returned 1 [0037.152] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.152] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.152] ResetEvent (hEvent=0x104) returned 1 [0037.152] SetEvent (hEvent=0x108) returned 1 [0037.152] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.152] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.152] ResetEvent (hEvent=0x104) returned 1 [0037.152] SetEvent (hEvent=0x108) returned 1 [0037.152] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.153] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.153] ResetEvent (hEvent=0x104) returned 1 [0037.153] SetEvent (hEvent=0x108) returned 1 [0037.153] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.153] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.153] ResetEvent (hEvent=0x104) returned 1 [0037.153] SetEvent (hEvent=0x108) returned 1 [0037.153] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.153] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.153] ResetEvent (hEvent=0x104) returned 1 [0037.153] SetEvent (hEvent=0x108) returned 1 [0037.153] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.154] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.154] ResetEvent (hEvent=0x104) returned 1 [0037.154] SetEvent (hEvent=0x108) returned 1 [0037.154] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.154] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.154] ResetEvent (hEvent=0x104) returned 1 [0037.154] SetEvent (hEvent=0x108) returned 1 [0037.154] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.154] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.154] ResetEvent (hEvent=0x104) returned 1 [0037.154] SetEvent (hEvent=0x108) returned 1 [0037.154] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.154] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.155] ResetEvent (hEvent=0x104) returned 1 [0037.155] SetEvent (hEvent=0x108) returned 1 [0037.155] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.155] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.155] ResetEvent (hEvent=0x104) returned 1 [0037.155] SetEvent (hEvent=0x108) returned 1 [0037.155] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.155] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.155] ResetEvent (hEvent=0x104) returned 1 [0037.155] SetEvent (hEvent=0x108) returned 1 [0037.155] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.155] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.156] ResetEvent (hEvent=0x104) returned 1 [0037.156] SetEvent (hEvent=0x108) returned 1 [0037.156] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.156] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.156] ResetEvent (hEvent=0x104) returned 1 [0037.156] SetEvent (hEvent=0x108) returned 1 [0037.156] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.156] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.156] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.156] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.156] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.156] ResetEvent (hEvent=0x104) returned 1 [0037.156] SetEvent (hEvent=0x108) returned 1 [0037.157] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.157] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.157] ResetEvent (hEvent=0x104) returned 1 [0037.157] SetEvent (hEvent=0x108) returned 1 [0037.157] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.157] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.157] ResetEvent (hEvent=0x104) returned 1 [0037.157] SetEvent (hEvent=0x108) returned 1 [0037.157] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.157] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.157] ResetEvent (hEvent=0x104) returned 1 [0037.157] SetEvent (hEvent=0x108) returned 1 [0037.158] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.158] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.158] ResetEvent (hEvent=0x104) returned 1 [0037.158] SetEvent (hEvent=0x108) returned 1 [0037.158] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.158] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.158] ResetEvent (hEvent=0x104) returned 1 [0037.158] SetEvent (hEvent=0x108) returned 1 [0037.158] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.158] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.158] ResetEvent (hEvent=0x104) returned 1 [0037.158] SetEvent (hEvent=0x108) returned 1 [0037.159] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.159] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.159] ResetEvent (hEvent=0x104) returned 1 [0037.159] SetEvent (hEvent=0x108) returned 1 [0037.159] WaitForMultipleObjects (nCount=0x2, lpHandles=0xb3fa88*=0x104, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0037.159] NtQueryObject (in: Handle=0x188, ObjectInformationClass=0x2, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.159] MapViewOfFile (hFileMappingObject=0x188, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x840000 [0037.159] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x840000, VirtualMemoryInformationClass=0x2, VirtualMemoryInformation=0xadd258, Length=0x2800, ResultLength=0x0 | out: VirtualMemoryInformation=0xadd258, ResultLength=0x0) returned 0xc0000098 [0037.159] UnmapViewOfFile (lpBaseAddress=0x840000) returned 1 [0037.159] ResetEvent (hEvent=0x104) returned 1 [0037.159] SetEvent (hEvent=0x108) returned 1 [0037.166] GetFileType (hFile=0x18c) returned 0x3 [0037.166] GetFileType (hFile=0x18c) returned 0x3 [0037.166] GetFileType (hFile=0x18c) returned 0x3 [0037.168] GetFileType (hFile=0x18c) returned 0x3 [0037.168] GetFileType (hFile=0x18c) returned 0x3 [0037.168] GetFileType (hFile=0x18c) returned 0x3 [0037.168] GetFileType (hFile=0x18c) returned 0x3 [0037.168] GetFileType (hFile=0x18c) returned 0x3 [0037.232] GetFileType (hFile=0x198) returned 0x3 [0037.232] GetFileType (hFile=0x198) returned 0x3 [0037.232] GetFileType (hFile=0x198) returned 0x3 [0037.232] GetFileType (hFile=0x198) returned 0x3 [0037.232] GetFileType (hFile=0x198) returned 0x3 [0037.232] GetFileType (hFile=0x198) returned 0x3 [0037.238] GetFileType (hFile=0x198) returned 0x3 [0037.238] GetFileType (hFile=0x198) returned 0x3 [0037.238] GetFileType (hFile=0x198) returned 0x3 [0037.239] GetFileType (hFile=0x198) returned 0x3 [0037.239] GetFileType (hFile=0x198) returned 0x3 [0037.252] GetFileType (hFile=0x19c) returned 0x3 [0037.252] GetFileType (hFile=0x19c) returned 0x3 [0037.253] GetFileType (hFile=0x19c) returned 0x0 [0037.253] GetFileType (hFile=0x19c) returned 0x3 [0037.254] GetFileType (hFile=0x19c) returned 0x3 [0037.254] GetFileType (hFile=0x19c) returned 0x3 [0037.258] GetFileType (hFile=0x19c) returned 0x3 [0037.260] GetFileType (hFile=0x19c) returned 0x3 [0037.264] GetFileType (hFile=0x19c) returned 0x3 [0037.265] GetFileType (hFile=0x19c) returned 0x3 [0037.265] GetFileType (hFile=0x19c) returned 0x3 [0037.265] GetFileType (hFile=0x19c) returned 0x3 [0037.265] GetFileType (hFile=0x19c) returned 0x3 [0037.270] GetFileType (hFile=0x1a0) returned 0x3 [0037.270] GetFileType (hFile=0x1a0) returned 0x3 [0037.271] GetFileType (hFile=0x1a0) returned 0x3 [0037.272] GetFileType (hFile=0x1a0) returned 0x1 [0037.272] NtQueryObject (in: Handle=0x1a0, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.272] MapViewOfFile (hFileMappingObject=0x1a0, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.281] GetFileType (hFile=0x1a4) returned 0x3 [0037.282] GetFileType (hFile=0x1a4) returned 0x3 [0037.282] GetFileType (hFile=0x1a4) returned 0x3 [0037.325] GetFileType (hFile=0x1a4) returned 0x1 [0037.325] NtQueryObject (in: Handle=0x1a4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.326] MapViewOfFile (hFileMappingObject=0x1a4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.330] GetFileType (hFile=0x1a8) returned 0x3 [0037.331] GetFileType (hFile=0x1a8) returned 0x3 [0037.331] GetFileType (hFile=0x1a8) returned 0x3 [0037.331] GetFileType (hFile=0x1a8) returned 0x3 [0037.331] GetFileType (hFile=0x1a8) returned 0x3 [0037.331] GetFileType (hFile=0x1a8) returned 0x3 [0037.331] GetFileType (hFile=0x1a8) returned 0x3 [0037.331] GetFileType (hFile=0x1a8) returned 0x3 [0037.332] GetFileType (hFile=0x1a8) returned 0x3 [0037.332] GetFileType (hFile=0x1a8) returned 0x3 [0037.333] GetFileType (hFile=0x1a8) returned 0x3 [0037.333] GetFileType (hFile=0x1a8) returned 0x3 [0037.333] GetFileType (hFile=0x1a8) returned 0x3 [0037.342] GetFileType (hFile=0x1ac) returned 0x1 [0037.342] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.343] GetFileType (hFile=0x1ac) returned 0x3 [0037.343] GetFileType (hFile=0x1ac) returned 0x3 [0037.343] GetFileType (hFile=0x1ac) returned 0x3 [0037.344] GetFileType (hFile=0x1ac) returned 0x3 [0037.344] GetFileType (hFile=0x1ac) returned 0x3 [0037.345] GetFileType (hFile=0x1ac) returned 0x3 [0037.345] GetFileType (hFile=0x1ac) returned 0x3 [0037.345] GetFileType (hFile=0x1ac) returned 0x3 [0037.346] GetFileType (hFile=0x1ac) returned 0x1 [0037.346] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.346] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.346] GetFileType (hFile=0x1ac) returned 0x1 [0037.346] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.346] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.346] GetFileType (hFile=0x1ac) returned 0x1 [0037.346] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.347] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.347] GetFileType (hFile=0x1ac) returned 0x1 [0037.347] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.347] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.348] GetFileType (hFile=0x1ac) returned 0x1 [0037.348] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.348] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.348] GetFileType (hFile=0x1ac) returned 0x1 [0037.348] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.348] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.348] GetFileType (hFile=0x1ac) returned 0x1 [0037.348] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.349] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.349] GetFileType (hFile=0x1ac) returned 0x1 [0037.349] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.349] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.349] GetFileType (hFile=0x1ac) returned 0x1 [0037.349] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.349] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.350] GetFileType (hFile=0x1ac) returned 0x1 [0037.350] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.350] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.350] GetFileType (hFile=0x1ac) returned 0x1 [0037.350] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.350] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.350] GetFileType (hFile=0x1ac) returned 0x1 [0037.351] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.351] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.351] GetFileType (hFile=0x1ac) returned 0x1 [0037.351] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.351] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.351] GetFileType (hFile=0x1ac) returned 0x1 [0037.351] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.351] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.353] GetFileType (hFile=0x1ac) returned 0x2 [0037.353] GetFileType (hFile=0x1ac) returned 0x2 [0037.353] GetFileType (hFile=0x1ac) returned 0x2 [0037.354] GetFileType (hFile=0x1ac) returned 0x2 [0037.357] GetFileType (hFile=0x1ac) returned 0x1 [0037.357] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.357] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.358] GetFileType (hFile=0x1ac) returned 0x1 [0037.358] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.358] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.358] GetFileType (hFile=0x1ac) returned 0x1 [0037.358] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.358] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.358] GetFileType (hFile=0x1ac) returned 0x1 [0037.358] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.359] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.359] GetFileType (hFile=0x1ac) returned 0x1 [0037.359] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.359] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.359] GetFileType (hFile=0x1ac) returned 0x1 [0037.359] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.359] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.359] GetFileType (hFile=0x1ac) returned 0x1 [0037.359] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.360] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.360] GetFileType (hFile=0x1ac) returned 0x1 [0037.360] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.360] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.360] GetFileType (hFile=0x1ac) returned 0x1 [0037.360] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.360] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.360] GetFileType (hFile=0x1ac) returned 0x1 [0037.360] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.360] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.361] GetFileType (hFile=0x1ac) returned 0x1 [0037.361] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.361] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.362] GetFileType (hFile=0x1ac) returned 0x1 [0037.362] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.362] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.362] GetFileType (hFile=0x1ac) returned 0x3 [0037.362] GetFileType (hFile=0x1ac) returned 0x1 [0037.362] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.363] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.364] GetFileType (hFile=0x1ac) returned 0x1 [0037.364] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.364] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.364] GetFileType (hFile=0x1ac) returned 0x1 [0037.364] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.365] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.365] GetFileType (hFile=0x1ac) returned 0x1 [0037.365] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.365] GetFileType (hFile=0x1ac) returned 0x1 [0037.365] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.365] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.366] GetFileType (hFile=0x1ac) returned 0x1 [0037.366] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.366] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.366] GetFileType (hFile=0x1ac) returned 0x1 [0037.366] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.366] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.366] GetFileType (hFile=0x1ac) returned 0x1 [0037.366] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.366] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.366] GetFileType (hFile=0x1ac) returned 0x1 [0037.366] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.367] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.367] GetFileType (hFile=0x1ac) returned 0x1 [0037.367] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.367] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.367] GetFileType (hFile=0x1ac) returned 0x1 [0037.367] NtQueryObject (in: Handle=0x1ac, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.367] MapViewOfFile (hFileMappingObject=0x1ac, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.373] GetFileType (hFile=0x1b0) returned 0x2 [0037.373] GetFileType (hFile=0x1b0) returned 0x2 [0037.376] GetFileType (hFile=0x1b0) returned 0x0 [0037.383] GetFileType (hFile=0x1b0) returned 0x1 [0037.383] NtQueryObject (in: Handle=0x1b0, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.384] MapViewOfFile (hFileMappingObject=0x1b0, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.384] GetFileType (hFile=0x1b0) returned 0x3 [0037.384] GetFileType (hFile=0x1b0) returned 0x3 [0037.384] GetFileType (hFile=0x1b0) returned 0x3 [0037.387] GetFileType (hFile=0x1b0) returned 0x0 [0037.387] GetFileType (hFile=0x1b0) returned 0x0 [0037.459] GetFileType (hFile=0x1b0) returned 0x0 [0037.459] GetFileType (hFile=0x1b0) returned 0x1 [0037.459] NtQueryObject (in: Handle=0x1b0, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.459] MapViewOfFile (hFileMappingObject=0x1b0, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.472] GetFileType (hFile=0x1b4) returned 0x0 [0037.474] GetFileType (hFile=0x1b4) returned 0x1 [0037.474] NtQueryObject (in: Handle=0x1b4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.474] MapViewOfFile (hFileMappingObject=0x1b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.475] GetFileType (hFile=0x1b4) returned 0x1 [0037.475] NtQueryObject (in: Handle=0x1b4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.475] MapViewOfFile (hFileMappingObject=0x1b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.475] GetFileType (hFile=0x1b4) returned 0x3 [0037.475] GetFileType (hFile=0x1b4) returned 0x3 [0037.475] GetFileType (hFile=0x1b4) returned 0x3 [0037.476] GetFileType (hFile=0x1b4) returned 0x3 [0037.476] GetFileType (hFile=0x1b4) returned 0x3 [0037.476] GetFileType (hFile=0x1b4) returned 0x3 [0037.476] GetFileType (hFile=0x1b4) returned 0x3 [0037.476] GetFileType (hFile=0x1b4) returned 0x3 [0037.483] GetFileType (hFile=0x1b4) returned 0x0 [0037.487] GetFileType (hFile=0x1b4) returned 0x1 [0037.487] NtQueryObject (in: Handle=0x1b4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.487] MapViewOfFile (hFileMappingObject=0x1b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.487] GetFileType (hFile=0x1b4) returned 0x1 [0037.487] NtQueryObject (in: Handle=0x1b4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.487] MapViewOfFile (hFileMappingObject=0x1b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.487] GetFileType (hFile=0x1b4) returned 0x1 [0037.487] NtQueryObject (in: Handle=0x1b4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.487] MapViewOfFile (hFileMappingObject=0x1b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.488] GetFileType (hFile=0x1b4) returned 0x1 [0037.488] NtQueryObject (in: Handle=0x1b4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.488] MapViewOfFile (hFileMappingObject=0x1b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.488] GetFileType (hFile=0x1b4) returned 0x1 [0037.488] NtQueryObject (in: Handle=0x1b4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.488] MapViewOfFile (hFileMappingObject=0x1b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.493] GetFileType (hFile=0x1b4) returned 0x3 [0037.493] GetFileType (hFile=0x1b4) returned 0x3 [0037.493] GetFileType (hFile=0x1b4) returned 0x3 [0037.494] GetFileType (hFile=0x1b4) returned 0x3 [0037.499] GetFileType (hFile=0x1b4) returned 0x1 [0037.499] NtQueryObject (in: Handle=0x1b4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.499] MapViewOfFile (hFileMappingObject=0x1b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.507] GetFileType (hFile=0x1b8) returned 0x1 [0037.507] NtQueryObject (in: Handle=0x1b8, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.508] MapViewOfFile (hFileMappingObject=0x1b8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.508] GetFileType (hFile=0x1b8) returned 0x1 [0037.508] NtQueryObject (in: Handle=0x1b8, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.508] MapViewOfFile (hFileMappingObject=0x1b8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.514] GetFileType (hFile=0x1b8) returned 0x1 [0037.514] NtQueryObject (in: Handle=0x1b8, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.515] MapViewOfFile (hFileMappingObject=0x1b8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.521] GetFileType (hFile=0x1bc) returned 0x3 [0037.522] GetFileType (hFile=0x1bc) returned 0x3 [0037.522] GetFileType (hFile=0x1bc) returned 0x3 [0037.523] GetFileType (hFile=0x1bc) returned 0x3 [0037.523] GetFileType (hFile=0x1bc) returned 0x3 [0037.523] GetFileType (hFile=0x1bc) returned 0x3 [0037.524] GetFileType (hFile=0x1bc) returned 0x3 [0037.569] GetFileType (hFile=0x1bc) returned 0x3 [0037.569] GetFileType (hFile=0x1bc) returned 0x3 [0037.570] GetFileType (hFile=0x1bc) returned 0x3 [0037.591] GetFileType (hFile=0x1bc) returned 0x0 [0037.591] GetFileType (hFile=0x1bc) returned 0x0 [0037.594] GetFileType (hFile=0x1bc) returned 0x1 [0037.594] NtQueryObject (in: Handle=0x1bc, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.595] MapViewOfFile (hFileMappingObject=0x1bc, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.595] GetFileType (hFile=0x1bc) returned 0x3 [0037.601] GetFileType (hFile=0x1bc) returned 0x1 [0037.601] NtQueryObject (in: Handle=0x1bc, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.601] MapViewOfFile (hFileMappingObject=0x1bc, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.601] GetFileType (hFile=0x1bc) returned 0x1 [0037.601] NtQueryObject (in: Handle=0x1bc, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.601] MapViewOfFile (hFileMappingObject=0x1bc, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.602] GetFileType (hFile=0x1bc) returned 0x1 [0037.602] NtQueryObject (in: Handle=0x1bc, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.602] MapViewOfFile (hFileMappingObject=0x1bc, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.613] GetFileType (hFile=0x1c4) returned 0x1 [0037.614] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.614] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.615] GetFileType (hFile=0x1c4) returned 0x1 [0037.615] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.615] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.621] GetFileType (hFile=0x1c4) returned 0x1 [0037.621] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.621] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.623] GetFileType (hFile=0x1c4) returned 0x1 [0037.623] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.623] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.624] GetFileType (hFile=0x1c4) returned 0x1 [0037.624] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.624] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.624] GetFileType (hFile=0x1c4) returned 0x1 [0037.624] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.624] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.624] GetFileType (hFile=0x1c4) returned 0x1 [0037.624] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.624] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.625] GetFileType (hFile=0x1c4) returned 0x1 [0037.625] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.625] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.625] GetFileType (hFile=0x1c4) returned 0x1 [0037.625] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.625] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.626] GetFileType (hFile=0x1c4) returned 0x1 [0037.626] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.626] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.626] GetFileType (hFile=0x1c4) returned 0x1 [0037.627] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.627] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.628] GetFileType (hFile=0x1c4) returned 0x1 [0037.628] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.628] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.629] GetFileType (hFile=0x1c4) returned 0x1 [0037.629] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.629] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.631] GetFileType (hFile=0x1c4) returned 0x1 [0037.631] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.631] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.632] GetFileType (hFile=0x1c4) returned 0x1 [0037.632] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.640] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.640] GetFileType (hFile=0x1c4) returned 0x1 [0037.640] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.641] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.641] GetFileType (hFile=0x1c4) returned 0x1 [0037.641] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.641] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.641] GetFileType (hFile=0x1c4) returned 0x1 [0037.641] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.641] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.642] GetFileType (hFile=0x1c4) returned 0x1 [0037.642] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.642] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.642] GetFileType (hFile=0x1c4) returned 0x1 [0037.642] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.642] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.643] GetFileType (hFile=0x1c4) returned 0x1 [0037.643] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.643] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.643] GetFileType (hFile=0x1c4) returned 0x1 [0037.643] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.643] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.646] GetFileType (hFile=0x1c4) returned 0x0 [0037.648] GetFileType (hFile=0x1c4) returned 0x3 [0037.649] GetFileType (hFile=0x1c4) returned 0x1 [0037.649] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.649] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.649] GetFileType (hFile=0x1c4) returned 0x1 [0037.650] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.650] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.650] GetFileType (hFile=0x1c4) returned 0x1 [0037.650] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.650] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.656] GetFileType (hFile=0x1c4) returned 0x1 [0037.656] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.656] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.656] GetFileType (hFile=0x1c4) returned 0x1 [0037.656] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.656] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.656] GetFileType (hFile=0x1c4) returned 0x1 [0037.656] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.656] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.657] GetFileType (hFile=0x1c4) returned 0x1 [0037.657] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.657] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.657] GetFileType (hFile=0x1c4) returned 0x1 [0037.657] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.657] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.699] GetFileType (hFile=0x1c4) returned 0x1 [0037.699] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.699] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.699] GetFileType (hFile=0x1c4) returned 0x1 [0037.699] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.699] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.700] GetFileType (hFile=0x1c4) returned 0x1 [0037.700] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.700] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.700] GetFileType (hFile=0x1c4) returned 0x1 [0037.700] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.700] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.701] GetFileType (hFile=0x1c4) returned 0x1 [0037.701] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.701] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.701] GetFileType (hFile=0x1c4) returned 0x1 [0037.702] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.702] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.702] GetFileType (hFile=0x1c4) returned 0x1 [0037.702] NtQueryObject (in: Handle=0x1c4, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.702] MapViewOfFile (hFileMappingObject=0x1c4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.837] GetFileType (hFile=0x1cc) returned 0x1 [0037.837] NtQueryObject (in: Handle=0x1cc, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.837] MapViewOfFile (hFileMappingObject=0x1cc, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.839] GetFileType (hFile=0x1cc) returned 0x1 [0037.839] NtQueryObject (in: Handle=0x1cc, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.839] MapViewOfFile (hFileMappingObject=0x1cc, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.840] GetFileType (hFile=0x1cc) returned 0x3 [0037.843] GetFileType (hFile=0x1d0) returned 0x0 [0037.843] GetFileType (hFile=0x1d0) returned 0x0 [0037.843] GetFileType (hFile=0x1d0) returned 0x0 [0037.843] GetFileType (hFile=0x1d0) returned 0x0 [0037.843] GetFileType (hFile=0x1d0) returned 0x0 [0037.846] GetFileType (hFile=0x1d0) returned 0x1 [0037.846] NtQueryObject (in: Handle=0x1d0, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.846] MapViewOfFile (hFileMappingObject=0x1d0, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.847] GetFileType (hFile=0x1d0) returned 0x0 [0037.991] GetFileType (hFile=0x1d8) returned 0x1 [0037.991] NtQueryObject (in: Handle=0x1d8, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.992] MapViewOfFile (hFileMappingObject=0x1d8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.992] GetFileType (hFile=0x1d8) returned 0x1 [0037.992] NtQueryObject (in: Handle=0x1d8, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.992] MapViewOfFile (hFileMappingObject=0x1d8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.993] GetFileType (hFile=0x1d8) returned 0x1 [0037.994] NtQueryObject (in: Handle=0x1d8, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.994] MapViewOfFile (hFileMappingObject=0x1d8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.997] GetFileType (hFile=0x1d8) returned 0x1 [0037.997] NtQueryObject (in: Handle=0x1d8, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.997] MapViewOfFile (hFileMappingObject=0x1d8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.997] GetFileType (hFile=0x1d8) returned 0x1 [0037.997] NtQueryObject (in: Handle=0x1d8, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.997] MapViewOfFile (hFileMappingObject=0x1d8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.998] GetFileType (hFile=0x1d8) returned 0x1 [0037.999] NtQueryObject (in: Handle=0x1d8, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.999] MapViewOfFile (hFileMappingObject=0x1d8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0037.999] GetFileType (hFile=0x1d8) returned 0x1 [0037.999] NtQueryObject (in: Handle=0x1d8, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0037.999] MapViewOfFile (hFileMappingObject=0x1d8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0038.000] GetFileType (hFile=0x1d8) returned 0x1 [0038.000] NtQueryObject (in: Handle=0x1d8, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0038.000] MapViewOfFile (hFileMappingObject=0x1d8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0038.066] GetFileType (hFile=0x228) returned 0x1 [0038.066] NtQueryObject (in: Handle=0x228, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0038.066] MapViewOfFile (hFileMappingObject=0x228, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0038.067] GetFileType (hFile=0x22c) returned 0x1 [0038.067] NtQueryObject (in: Handle=0x22c, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0038.067] MapViewOfFile (hFileMappingObject=0x22c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0038.069] GetFileType (hFile=0x230) returned 0x1 [0038.069] NtQueryObject (in: Handle=0x230, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0038.069] MapViewOfFile (hFileMappingObject=0x230, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0038.072] GetFileType (hFile=0x234) returned 0x1 [0038.072] NtQueryObject (in: Handle=0x234, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0038.072] MapViewOfFile (hFileMappingObject=0x234, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0038.073] GetFileType (hFile=0x238) returned 0x1 [0038.073] NtQueryObject (in: Handle=0x238, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0038.073] MapViewOfFile (hFileMappingObject=0x238, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0038.076] GetFileType (hFile=0x23c) returned 0x1 [0038.076] NtQueryObject (in: Handle=0x23c, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0038.077] MapViewOfFile (hFileMappingObject=0x23c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0038.078] GetFileType (hFile=0x240) returned 0x1 [0038.078] NtQueryObject (in: Handle=0x240, ObjectInformationClass=0x1, ObjectInformation=0xadd258, ObjectInformationLength=0x2800, ReturnLength=0x16af9d8 | out: ObjectInformation=0xadd258, ReturnLength=0x16af9d8) returned 0x0 [0038.079] MapViewOfFile (hFileMappingObject=0x240, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x4) returned 0x0 [0038.083] GetFileType (hFile=0x240) returned 0x3 Thread: id = 305 os_tid = 0xa04 Thread: id = 435 os_tid = 0x188 Process: id = "18" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x4d94b000" os_pid = "0x9ac" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x1d4" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:00047a1a" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1679 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1680 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1681 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1682 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1683 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1684 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1685 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1686 start_va = 0xff4c0000 end_va = 0xff64afff entry_point = 0xff4c0000 region_type = mapped_file name = "vssvc.exe" filename = "\\Windows\\System32\\VSSVC.exe" (normalized: "c:\\windows\\system32\\vssvc.exe") Region: id = 1687 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1688 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1689 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 1690 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 1900 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 1901 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1902 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1905 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1906 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1907 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1908 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1909 start_va = 0xd0000 end_va = 0xe0fff entry_point = 0xd0000 region_type = mapped_file name = "vssvc.exe.mui" filename = "\\Windows\\System32\\en-US\\VSSVC.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\vssvc.exe.mui") Region: id = 1910 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1911 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1912 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 1913 start_va = 0x230000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1914 start_va = 0x4b0000 end_va = 0x637fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 1915 start_va = 0x640000 end_va = 0x7c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 1916 start_va = 0x7d0000 end_va = 0x88ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1917 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1918 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1919 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1920 start_va = 0x7fef7230000 end_va = 0x7fef7248fff entry_point = 0x7fef7230000 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 1921 start_va = 0x7fef7250000 end_va = 0x7fef729ffff entry_point = 0x7fef7250000 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 1922 start_va = 0x7fef7e80000 end_va = 0x7fef7e96fff entry_point = 0x7fef7e80000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1923 start_va = 0x7fef7ea0000 end_va = 0x7fef804ffff entry_point = 0x7fef7ea0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 1924 start_va = 0x7fef9040000 end_va = 0x7fef9053fff entry_point = 0x7fef9040000 region_type = mapped_file name = "xolehlp.dll" filename = "\\Windows\\System32\\xolehlp.dll" (normalized: "c:\\windows\\system32\\xolehlp.dll") Region: id = 1925 start_va = 0x7fef9060000 end_va = 0x7fef9068fff entry_point = 0x7fef9060000 region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 1926 start_va = 0x7fef9070000 end_va = 0x7fef9079fff entry_point = 0x7fef9070000 region_type = mapped_file name = "virtdisk.dll" filename = "\\Windows\\System32\\virtdisk.dll" (normalized: "c:\\windows\\system32\\virtdisk.dll") Region: id = 1927 start_va = 0x7fefb260000 end_va = 0x7fefb278fff entry_point = 0x7fefb260000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1928 start_va = 0x7fefb890000 end_va = 0x7fefb8a3fff entry_point = 0x7fefb890000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1929 start_va = 0x7fefb8b0000 end_va = 0x7fefb8c4fff entry_point = 0x7fefb8b0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1930 start_va = 0x7fefb8d0000 end_va = 0x7fefb8dbfff entry_point = 0x7fefb8d0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1931 start_va = 0x7fefb8e0000 end_va = 0x7fefb8f5fff entry_point = 0x7fefb8e0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1932 start_va = 0x7fefc970000 end_va = 0x7fefc97bfff entry_point = 0x7fefc970000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1933 start_va = 0x7fefd290000 end_va = 0x7fefd2befff entry_point = 0x7fefd290000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1934 start_va = 0x7fefd340000 end_va = 0x7fefd353fff entry_point = 0x7fefd340000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 1935 start_va = 0x7fefd5a0000 end_va = 0x7fefd5c2fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1936 start_va = 0x7fefd970000 end_va = 0x7fefd989fff entry_point = 0x7fefd970000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1937 start_va = 0x7fefdb00000 end_va = 0x7fefdb35fff entry_point = 0x7fefdb00000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1938 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1939 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1940 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1941 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1942 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1943 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1944 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1945 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1946 start_va = 0x7feff300000 end_va = 0x7feff4d6fff entry_point = 0x7feff300000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1947 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1948 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1949 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1950 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1952 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 1953 start_va = 0x890000 end_va = 0xc82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 1954 start_va = 0xd10000 end_va = 0xd8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 1955 start_va = 0xde0000 end_va = 0xe5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 1956 start_va = 0xea0000 end_va = 0xf1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 1957 start_va = 0x1030000 end_va = 0x10affff entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 1958 start_va = 0x10b0000 end_va = 0x137efff entry_point = 0x10b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1959 start_va = 0x1490000 end_va = 0x150ffff entry_point = 0x0 region_type = private name = "private_0x0000000001490000" filename = "" Region: id = 1960 start_va = 0x1540000 end_va = 0x15bffff entry_point = 0x0 region_type = private name = "private_0x0000000001540000" filename = "" Region: id = 1961 start_va = 0x7fef9000000 end_va = 0x7fef9013fff entry_point = 0x7fef9000000 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Region: id = 1962 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1963 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1964 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1965 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1966 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1967 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 1968 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 1969 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 1970 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 1971 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 1972 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 1973 start_va = 0x7fefbff0000 end_va = 0x7fefc00cfff entry_point = 0x7fefbff0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1974 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1975 start_va = 0x7fefb1c0000 end_va = 0x7fefb226fff entry_point = 0x7fefb1c0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 2025 start_va = 0x7fefc540000 end_va = 0x7fefc66bfff entry_point = 0x7fefc540000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2029 start_va = 0x7fef4af0000 end_va = 0x7fef4b74fff entry_point = 0x7fef4af0000 region_type = mapped_file name = "catsrvut.dll" filename = "\\Windows\\System32\\catsrvut.dll" (normalized: "c:\\windows\\system32\\catsrvut.dll") Region: id = 2030 start_va = 0x7fef9030000 end_va = 0x7fef903bfff entry_point = 0x7fef9030000 region_type = mapped_file name = "mfcsubs.dll" filename = "\\Windows\\System32\\mfcsubs.dll" (normalized: "c:\\windows\\system32\\mfcsubs.dll") Thread: id = 286 os_tid = 0x9b0 Thread: id = 287 os_tid = 0x9b4 Thread: id = 288 os_tid = 0x9b8 Thread: id = 289 os_tid = 0x9bc Thread: id = 290 os_tid = 0x9c0 Thread: id = 291 os_tid = 0x9c4 Thread: id = 292 os_tid = 0x9c8 Thread: id = 295 os_tid = 0x9dc Thread: id = 304 os_tid = 0xa00 Thread: id = 436 os_tid = 0x88c Process: id = "19" image_name = "8dat2h~1:bin" filename = "c:\\users\\5p5nrg~1\\appdata\\roaming\\8dat2h~1:bin" page_root = "0x4d72b000" os_pid = "0x9cc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0x97c" cmd_line = "C:\\Users\\5P5NRG~1\\AppData\\Roaming\\\\8DAT2H~1:bin" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e814" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1976 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1977 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1978 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1979 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1980 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1981 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1982 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1983 start_va = 0x350000 end_va = 0x372fff entry_point = 0x350000 region_type = mapped_file name = "8dat2h~1" filename = "\\Users\\5P5NRG~1\\AppData\\Roaming\\8DAT2H~1" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\8dat2h~1") Region: id = 1984 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1985 start_va = 0x77a40000 end_va = 0x77bbffff entry_point = 0x77a40000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1986 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1987 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1988 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1989 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1990 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1991 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1992 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1993 start_va = 0x4c0000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1994 start_va = 0x74f80000 end_va = 0x74f87fff entry_point = 0x74f80000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1995 start_va = 0x74f90000 end_va = 0x74febfff entry_point = 0x74f90000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1996 start_va = 0x74ff0000 end_va = 0x7502efff entry_point = 0x74ff0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1997 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1998 start_va = 0x1d0000 end_va = 0x236fff entry_point = 0x1d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1999 start_va = 0x260000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 2000 start_va = 0x680000 end_va = 0x77ffff entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 2001 start_va = 0x751b0000 end_va = 0x7533ffff entry_point = 0x751b0000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 2002 start_va = 0x75340000 end_va = 0x753c3fff entry_point = 0x75340000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 2003 start_va = 0x753d0000 end_va = 0x75401fff entry_point = 0x753d0000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 2004 start_va = 0x75410000 end_va = 0x7542bfff entry_point = 0x75410000 region_type = mapped_file name = "oledlg.dll" filename = "\\Windows\\SysWOW64\\oledlg.dll" (normalized: "c:\\windows\\syswow64\\oledlg.dll") Region: id = 2005 start_va = 0x75430000 end_va = 0x75480fff entry_point = 0x75430000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\SysWOW64\\winspool.drv" (normalized: "c:\\windows\\syswow64\\winspool.drv") Region: id = 2006 start_va = 0x75590000 end_va = 0x7559bfff entry_point = 0x75590000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2007 start_va = 0x755a0000 end_va = 0x755fffff entry_point = 0x755a0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2008 start_va = 0x75660000 end_va = 0x7570bfff entry_point = 0x75660000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2009 start_va = 0x75710000 end_va = 0x75719fff entry_point = 0x75710000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 2010 start_va = 0x75a60000 end_va = 0x75a78fff entry_point = 0x75a60000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2011 start_va = 0x75a80000 end_va = 0x75b0ffff entry_point = 0x75a80000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2012 start_va = 0x75b10000 end_va = 0x75bfffff entry_point = 0x75b10000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2013 start_va = 0x75cc0000 end_va = 0x76909fff entry_point = 0x75cc0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2014 start_va = 0x76e30000 end_va = 0x76f8bfff entry_point = 0x76e30000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2015 start_va = 0x76f90000 end_va = 0x7702ffff entry_point = 0x76f90000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2016 start_va = 0x771d0000 end_va = 0x772cffff entry_point = 0x771d0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2017 start_va = 0x77350000 end_va = 0x773a6fff entry_point = 0x77350000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2018 start_va = 0x773b0000 end_va = 0x774bffff entry_point = 0x773b0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2019 start_va = 0x77550000 end_va = 0x775ecfff entry_point = 0x77550000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 2020 start_va = 0x775f0000 end_va = 0x77635fff entry_point = 0x775f0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2021 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x0 region_type = private name = "private_0x0000000077640000" filename = "" Region: id = 2022 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x0 region_type = private name = "private_0x0000000077740000" filename = "" Region: id = 2023 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2024 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2026 start_va = 0x780000 end_va = 0x907fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 2027 start_va = 0x76b30000 end_va = 0x76bfbfff entry_point = 0x76b30000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 2028 start_va = 0x76c00000 end_va = 0x76c5ffff entry_point = 0x76c00000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2082 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2083 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2084 start_va = 0x70000 end_va = 0x8bfff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 2085 start_va = 0x4b0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 2086 start_va = 0x910000 end_va = 0xa90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 2087 start_va = 0xaa0000 end_va = 0x1e9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 2088 start_va = 0x2060000 end_va = 0x206ffff entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 2125 start_va = 0x240000 end_va = 0x251fff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 2458 start_va = 0x310000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 2459 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 2460 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 2461 start_va = 0x540000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 2462 start_va = 0x2070000 end_va = 0x224ffff entry_point = 0x0 region_type = private name = "private_0x0000000002070000" filename = "" Region: id = 2463 start_va = 0x1ea0000 end_va = 0x1f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 2464 start_va = 0x270000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 2465 start_va = 0x2070000 end_va = 0x216ffff entry_point = 0x0 region_type = private name = "private_0x0000000002070000" filename = "" Region: id = 2466 start_va = 0x2240000 end_va = 0x224ffff entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 2467 start_va = 0x75170000 end_va = 0x75185fff entry_point = 0x75170000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 2468 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 2469 start_va = 0x2b0000 end_va = 0x2ebfff entry_point = 0x2b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2470 start_va = 0x2b0000 end_va = 0x2ebfff entry_point = 0x2b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2471 start_va = 0x2b0000 end_va = 0x2ebfff entry_point = 0x2b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2472 start_va = 0x2b0000 end_va = 0x2ebfff entry_point = 0x2b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2473 start_va = 0x2b0000 end_va = 0x2ebfff entry_point = 0x2b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2474 start_va = 0x75130000 end_va = 0x7516afff entry_point = 0x75130000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2475 start_va = 0x2250000 end_va = 0x251efff entry_point = 0x2250000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2476 start_va = 0x75720000 end_va = 0x7583cfff entry_point = 0x75720000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 2477 start_va = 0x75c60000 end_va = 0x75c6bfff entry_point = 0x75c60000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 2478 start_va = 0x750f0000 end_va = 0x75110fff entry_point = 0x750f0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 2479 start_va = 0x75c70000 end_va = 0x75cb4fff entry_point = 0x75c70000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 3178 start_va = 0x570000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 3179 start_va = 0x5e0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 3180 start_va = 0x5f0000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 3181 start_va = 0x26e0000 end_va = 0x27dffff entry_point = 0x0 region_type = private name = "private_0x00000000026e0000" filename = "" Region: id = 3182 start_va = 0x28f0000 end_va = 0x29effff entry_point = 0x0 region_type = private name = "private_0x00000000028f0000" filename = "" Region: id = 3183 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 3184 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Thread: id = 293 os_tid = 0x9d0 [0036.970] GetCurrentProcess () returned 0xffffffff [0036.970] GetTickCount () returned 0x18507 [0036.970] GetCurrentThreadId () returned 0x9d0 [0036.971] GetCurrentThreadId () returned 0x9d0 [0036.971] GetCurrentProcess () returned 0xffffffff [0036.971] GetVersion () returned 0x1db10106 [0036.971] GetVersion () returned 0x1db10106 [0036.971] GetCurrentProcess () returned 0xffffffff [0036.971] GetCurrentProcess () returned 0xffffffff [0036.971] GetTickCount () returned 0x18507 [0036.971] GetTickCount () returned 0x18507 [0036.971] GetTickCount () returned 0x18507 [0036.971] GetVersion () returned 0x1db10106 [0036.971] GetTickCount () returned 0x18507 [0036.971] GetCurrentThreadId () returned 0x9d0 [0036.971] GetVersion () returned 0x1db10106 [0036.971] GetTickCount () returned 0x18507 [0036.971] GetCurrentThreadId () returned 0x9d0 [0036.971] GetCurrentThreadId () returned 0x9d0 [0036.971] GetCurrentThreadId () returned 0x9d0 [0036.971] GetVersion () returned 0x1db10106 [0036.971] GetTickCount () returned 0x18507 [0036.971] GetCurrentThreadId () returned 0x9d0 [0036.971] GetTickCount () returned 0x18507 [0036.971] GetCurrentThreadId () returned 0x9d0 [0036.971] GetCurrentThreadId () returned 0x9d0 [0036.971] GetVersion () returned 0x1db10106 [0036.971] GetTickCount () returned 0x18507 [0036.971] GetTickCount () returned 0x18507 [0036.971] GetCurrentThreadId () returned 0x9d0 [0036.971] VirtualAlloc (lpAddress=0x0, dwSize=0x1c000, flAllocationType=0x1000, flProtect=0x40) returned 0x70000 [0037.664] VirtualAlloc (lpAddress=0x0, dwSize=0x11a00, flAllocationType=0x1000, flProtect=0x4) returned 0x240000 [0045.839] VirtualProtect (in: lpAddress=0x350000, dwSize=0x1c000, flNewProtect=0x40, lpflOldProtect=0x8a0b8 | out: lpflOldProtect=0x8a0b8*=0x2) returned 1 [0045.841] VirtualProtect (in: lpAddress=0x350000, dwSize=0x400, flNewProtect=0x2, lpflOldProtect=0x8a0b8 | out: lpflOldProtect=0x8a0b8*=0x40) returned 1 [0045.841] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x773b0000 [0045.842] GetProcAddress (hModule=0x773b0000, lpProcName="OutputDebugStringA") returned 0x773eb2b7 [0045.842] GetProcAddress (hModule=0x773b0000, lpProcName="HeapValidate") returned 0x773db17b [0045.852] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18f274, nSize=0x1000 | out: lpFilename="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\8DAT2H~1:bin" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\8dat2h~1:bin")) returned 0x2e [0045.852] GetVersionExW (in: lpVersionInformation=0x18f914*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18f914*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0045.852] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18f900 | out: Wow64Process=0x18f900) returned 1 [0045.852] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18f8dc | out: TokenHandle=0x18f8dc*=0xbc) returned 1 [0045.852] GetTokenInformation (in: TokenHandle=0xbc, TokenInformationClass=0x2, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18f8d8 | out: TokenInformation=0x0, ReturnLength=0x18f8d8) returned 0 [0045.853] GetLastError () returned 0x7a [0045.853] GetTokenInformation (in: TokenHandle=0xbc, TokenInformationClass=0x2, TokenInformation=0x2240f98, TokenInformationLength=0x118, ReturnLength=0x18f8d8 | out: TokenInformation=0x2240f98, ReturnLength=0x18f8d8) returned 1 [0045.853] AllocateAndInitializeSid (in: pIdentifierAuthority=0x18f8e8, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x18f8e0 | out: pSid=0x18f8e0*=0x691608*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0045.853] EqualSid (pSid1=0x691608*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x2240ffc*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x25))) returned 0 [0045.853] EqualSid (pSid1=0x691608*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x2241018*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x1), SubAuthority=0x0)) returned 0 [0045.853] EqualSid (pSid1=0x691608*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x2241024*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0045.853] NtClose (Handle=0xbc) returned 0x0 [0045.853] RtlQueryElevationFlags () returned 0x0 [0045.854] SHRegDuplicateHKey (hkey=0x80000002) returned 0x80000002 [0045.854] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x0, lpName=0x224b8d0, cchName=0x104 | out: lpName="BCD00000000") returned 0x0 [0045.854] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bcd00000000", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0045.854] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bcd00000000", cchWideChar=11, lpMultiByteStr=0x224bbe0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bcd00000000", lpUsedDefaultChar=0x0) returned 11 [0045.854] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x1, lpName=0x224b8d0, cchName=0x104 | out: lpName="HARDWARE") returned 0x0 [0045.854] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hardware", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0045.854] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="hardware", cchWideChar=8, lpMultiByteStr=0x224bc40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="hardware", lpUsedDefaultChar=0x0) returned 8 [0045.855] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x2, lpName=0x224b8d0, cchName=0x104 | out: lpName="SAM") returned 0x0 [0045.855] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sam", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0045.855] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sam", cchWideChar=3, lpMultiByteStr=0x224bc88, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sam", lpUsedDefaultChar=0x0) returned 3 [0045.855] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x3, lpName=0x224b8d0, cchName=0x104 | out: lpName="SECURITY") returned 0x0 [0045.855] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0045.855] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="security", cchWideChar=8, lpMultiByteStr=0x224bc40, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="security", lpUsedDefaultChar=0x0) returned 8 [0045.855] RegEnumKeyW (in: hKey=0x80000002, dwIndex=0x4, lpName=0x224b8d0, cchName=0x104 | out: lpName="SOFTWARE") returned 0x0 [0045.855] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0045.855] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="software", cchWideChar=8, lpMultiByteStr=0x224bc88, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="software", lpUsedDefaultChar=0x0) returned 8 [0045.856] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE", ulOptions=0x0, samDesired=0x20109, phkResult=0x18f85c | out: phkResult=0x18f85c*=0xbc) returned 0x0 [0046.022] RegCloseKey (hKey=0x80000002) returned 0x0 [0046.022] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x0, lpName=0x224b8d0, cchName=0x104 | out: lpName="ATI Technologies") returned 0x0 [0046.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ati technologies", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0046.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ati technologies", cchWideChar=16, lpMultiByteStr=0x224c0c0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ati technologies", lpUsedDefaultChar=0x0) returned 16 [0046.023] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x1, lpName=0x224b8d0, cchName=0x104 | out: lpName="CBSTEST") returned 0x0 [0046.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cbstest", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0046.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cbstest", cchWideChar=7, lpMultiByteStr=0x224c108, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cbstest", lpUsedDefaultChar=0x0) returned 7 [0046.023] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x2, lpName=0x224b8d0, cchName=0x104 | out: lpName="Classes") returned 0x0 [0046.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="classes", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0046.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="classes", cchWideChar=7, lpMultiByteStr=0x224c0c0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="classes", lpUsedDefaultChar=0x0) returned 7 [0046.023] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x3, lpName=0x224b8d0, cchName=0x104 | out: lpName="Clients") returned 0x0 [0046.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clients", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0046.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="clients", cchWideChar=7, lpMultiByteStr=0x224c108, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="clients", lpUsedDefaultChar=0x0) returned 7 [0046.023] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x4, lpName=0x224b8d0, cchName=0x104 | out: lpName="Intel") returned 0x0 [0046.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="intel", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0046.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="intel", cchWideChar=5, lpMultiByteStr=0x224c0c0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="intel", lpUsedDefaultChar=0x0) returned 5 [0046.023] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x5, lpName=0x224b8d0, cchName=0x104 | out: lpName="Macromedia") returned 0x0 [0046.024] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="macromedia", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0046.024] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="macromedia", cchWideChar=10, lpMultiByteStr=0x224c108, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="macromedia", lpUsedDefaultChar=0x0) returned 10 [0046.024] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x6, lpName=0x224b8d0, cchName=0x104 | out: lpName="Microsoft") returned 0x0 [0046.024] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0046.024] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="microsoft", cchWideChar=9, lpMultiByteStr=0x224c0c0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="microsoft", lpUsedDefaultChar=0x0) returned 9 [0046.024] RegOpenKeyExW (in: hKey=0xbc, lpSubKey="Microsoft", ulOptions=0x0, samDesired=0x20109, phkResult=0x18f85c | out: phkResult=0x18f85c*=0x3c) returned 0x0 [0046.024] RegCloseKey (hKey=0xbc) returned 0x0 [0046.024] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x0, lpName=0x224b8d0, cchName=0x104 | out: lpName=".NETFramework") returned 0x0 [0046.024] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".netframework", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0046.024] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=".netframework", cchWideChar=13, lpMultiByteStr=0x224c108, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=".netframework", lpUsedDefaultChar=0x0) returned 13 [0046.024] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1, lpName=0x224b8d0, cchName=0x104 | out: lpName="Active Setup") returned 0x0 [0046.024] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="active setup", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0046.024] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="active setup", cchWideChar=12, lpMultiByteStr=0x224c0c0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="active setup", lpUsedDefaultChar=0x0) returned 12 [0046.024] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2, lpName=0x224b8d0, cchName=0x104 | out: lpName="ADs") returned 0x0 [0046.024] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ads", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0046.024] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ads", cchWideChar=3, lpMultiByteStr=0x224c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ads", lpUsedDefaultChar=0x0) returned 3 [0046.025] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3, lpName=0x224b8d0, cchName=0x104 | out: lpName="Advanced INF Setup") returned 0x0 [0046.025] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="advanced inf setup", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0046.025] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="advanced inf setup", cchWideChar=18, lpMultiByteStr=0x224c0c0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="advanced inf setup", lpUsedDefaultChar=0x0) returned 18 [0046.025] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4, lpName=0x224b8d0, cchName=0x104 | out: lpName="ALG") returned 0x0 [0046.025] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0046.025] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alg", cchWideChar=3, lpMultiByteStr=0x224c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="alg", lpUsedDefaultChar=0x0) returned 3 [0046.025] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5, lpName=0x224b8d0, cchName=0x104 | out: lpName="ASP.NET") returned 0x0 [0046.025] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="asp.net", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0046.025] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="asp.net", cchWideChar=7, lpMultiByteStr=0x224c0c0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="asp.net", lpUsedDefaultChar=0x0) returned 7 [0046.025] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6, lpName=0x224b8d0, cchName=0x104 | out: lpName="Assistance") returned 0x0 [0046.025] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="assistance", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0046.025] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="assistance", cchWideChar=10, lpMultiByteStr=0x224c108, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="assistance", lpUsedDefaultChar=0x0) returned 10 [0046.025] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7, lpName=0x224b8d0, cchName=0x104 | out: lpName="BidInterface") returned 0x0 [0046.025] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bidinterface", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0046.025] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bidinterface", cchWideChar=12, lpMultiByteStr=0x224c0c0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bidinterface", lpUsedDefaultChar=0x0) returned 12 [0046.026] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x8, lpName=0x224b8d0, cchName=0x104 | out: lpName="COM3") returned 0x0 [0046.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="com3", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0046.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="com3", cchWideChar=4, lpMultiByteStr=0x224c108, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="com3", lpUsedDefaultChar=0x0) returned 4 [0046.026] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x9, lpName=0x224b8d0, cchName=0x104 | out: lpName="Command Processor") returned 0x0 [0046.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="command processor", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0046.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="command processor", cchWideChar=17, lpMultiByteStr=0x224c0c0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="command processor", lpUsedDefaultChar=0x0) returned 17 [0046.026] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xa, lpName=0x224b8d0, cchName=0x104 | out: lpName="Connect to a Network Projector") returned 0x0 [0046.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connect to a network projector", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0046.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="connect to a network projector", cchWideChar=30, lpMultiByteStr=0x224c108, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="connect to a network projector", lpUsedDefaultChar=0x0) returned 30 [0046.026] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xb, lpName=0x224b8d0, cchName=0x104 | out: lpName="Cryptography") returned 0x0 [0046.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cryptography", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0046.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="cryptography", cchWideChar=12, lpMultiByteStr=0x224c0c0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cryptography", lpUsedDefaultChar=0x0) returned 12 [0046.026] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xc, lpName=0x224b8d0, cchName=0x104 | out: lpName="CTF") returned 0x0 [0046.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ctf", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0046.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ctf", cchWideChar=3, lpMultiByteStr=0x224c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ctf", lpUsedDefaultChar=0x0) returned 3 [0046.026] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xd, lpName=0x224b8d0, cchName=0x104 | out: lpName="DataAccess") returned 0x0 [0046.026] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dataaccess", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0046.027] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dataaccess", cchWideChar=10, lpMultiByteStr=0x224c0c0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dataaccess", lpUsedDefaultChar=0x0) returned 10 [0046.027] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xe, lpName=0x224b8d0, cchName=0x104 | out: lpName="DataFactory") returned 0x0 [0046.027] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="datafactory", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0046.027] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="datafactory", cchWideChar=11, lpMultiByteStr=0x224c108, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="datafactory", lpUsedDefaultChar=0x0) returned 11 [0046.027] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xf, lpName=0x224b8d0, cchName=0x104 | out: lpName="DevDiv") returned 0x0 [0046.027] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="devdiv", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0046.027] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="devdiv", cchWideChar=6, lpMultiByteStr=0x224c0c0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="devdiv", lpUsedDefaultChar=0x0) returned 6 [0046.027] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x10, lpName=0x224b8d0, cchName=0x104 | out: lpName="Dfrg") returned 0x0 [0046.027] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfrg", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0046.027] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfrg", cchWideChar=4, lpMultiByteStr=0x224c108, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dfrg", lpUsedDefaultChar=0x0) returned 4 [0046.028] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x11, lpName=0x224b8d0, cchName=0x104 | out: lpName="DFS") returned 0x0 [0046.028] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfs", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0046.028] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dfs", cchWideChar=3, lpMultiByteStr=0x224c0c0, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dfs", lpUsedDefaultChar=0x0) returned 3 [0046.028] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x12, lpName=0x224b8d0, cchName=0x104 | out: lpName="DirectDraw") returned 0x0 [0046.028] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directdraw", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0046.028] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directdraw", cchWideChar=10, lpMultiByteStr=0x224c108, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directdraw", lpUsedDefaultChar=0x0) returned 10 [0046.028] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x13, lpName=0x224b8d0, cchName=0x104 | out: lpName="DirectInput") returned 0x0 [0046.028] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directinput", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0046.028] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directinput", cchWideChar=11, lpMultiByteStr=0x224c0c0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directinput", lpUsedDefaultChar=0x0) returned 11 [0046.028] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x14, lpName=0x224b8d0, cchName=0x104 | out: lpName="DirectMusic") returned 0x0 [0046.028] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directmusic", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0046.028] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directmusic", cchWideChar=11, lpMultiByteStr=0x224c108, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directmusic", lpUsedDefaultChar=0x0) returned 11 [0046.028] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x15, lpName=0x224b8d0, cchName=0x104 | out: lpName="DirectPlay8") returned 0x0 [0046.028] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directplay8", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0046.029] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directplay8", cchWideChar=11, lpMultiByteStr=0x224c0c0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directplay8", lpUsedDefaultChar=0x0) returned 11 [0046.029] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x16, lpName=0x224b8d0, cchName=0x104 | out: lpName="DirectPlayNATHelp") returned 0x0 [0046.029] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directplaynathelp", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0046.029] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directplaynathelp", cchWideChar=17, lpMultiByteStr=0x224c108, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directplaynathelp", lpUsedDefaultChar=0x0) returned 17 [0046.029] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x17, lpName=0x224b8d0, cchName=0x104 | out: lpName="DirectShow") returned 0x0 [0046.029] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directshow", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0046.029] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directshow", cchWideChar=10, lpMultiByteStr=0x224c0c0, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directshow", lpUsedDefaultChar=0x0) returned 10 [0046.029] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x18, lpName=0x224b8d0, cchName=0x104 | out: lpName="DirectX") returned 0x0 [0046.029] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directx", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0046.029] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="directx", cchWideChar=7, lpMultiByteStr=0x224c108, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="directx", lpUsedDefaultChar=0x0) returned 7 [0046.029] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x19, lpName=0x224b8d0, cchName=0x104 | out: lpName="Driver Signing") returned 0x0 [0046.029] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="driver signing", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0046.029] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="driver signing", cchWideChar=14, lpMultiByteStr=0x224c0c0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="driver signing", lpUsedDefaultChar=0x0) returned 14 [0046.029] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1a, lpName=0x224b8d0, cchName=0x104 | out: lpName="DRM") returned 0x0 [0046.029] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="drm", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0046.029] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="drm", cchWideChar=3, lpMultiByteStr=0x224c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="drm", lpUsedDefaultChar=0x0) returned 3 [0046.030] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1b, lpName=0x224b8d0, cchName=0x104 | out: lpName="DVR") returned 0x0 [0046.030] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dvr", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0046.030] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dvr", cchWideChar=3, lpMultiByteStr=0x224c0c0, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dvr", lpUsedDefaultChar=0x0) returned 3 [0046.030] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1c, lpName=0x224b8d0, cchName=0x104 | out: lpName="DXP") returned 0x0 [0046.030] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dxp", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0046.030] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dxp", cchWideChar=3, lpMultiByteStr=0x224c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dxp", lpUsedDefaultChar=0x0) returned 3 [0046.030] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1d, lpName=0x224b8d0, cchName=0x104 | out: lpName="EnterpriseCertificates") returned 0x0 [0046.030] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="enterprisecertificates", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0046.030] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="enterprisecertificates", cchWideChar=22, lpMultiByteStr=0x224c0c0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="enterprisecertificates", lpUsedDefaultChar=0x0) returned 22 [0046.030] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1e, lpName=0x224b8d0, cchName=0x104 | out: lpName="EventSystem") returned 0x0 [0046.030] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventsystem", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0046.030] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="eventsystem", cchWideChar=11, lpMultiByteStr=0x224c108, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="eventsystem", lpUsedDefaultChar=0x0) returned 11 [0046.030] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1f, lpName=0x224b8d0, cchName=0x104 | out: lpName="Exchange") returned 0x0 [0046.030] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="exchange", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0046.030] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="exchange", cchWideChar=8, lpMultiByteStr=0x224c0c0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="exchange", lpUsedDefaultChar=0x0) returned 8 [0046.031] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x20, lpName=0x224b8d0, cchName=0x104 | out: lpName="Fax") returned 0x0 [0046.031] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fax", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0046.031] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fax", cchWideChar=3, lpMultiByteStr=0x224c108, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fax", lpUsedDefaultChar=0x0) returned 3 [0046.031] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x21, lpName=0x224b8d0, cchName=0x104 | out: lpName="Feeds") returned 0x0 [0046.031] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="feeds", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0046.031] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="feeds", cchWideChar=5, lpMultiByteStr=0x224c0c0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="feeds", lpUsedDefaultChar=0x0) returned 5 [0046.031] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x22, lpName=0x224b8d0, cchName=0x104 | out: lpName="FlashConfig") returned 0x0 [0046.031] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="flashconfig", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0046.031] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="flashconfig", cchWideChar=11, lpMultiByteStr=0x224c108, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="flashconfig", lpUsedDefaultChar=0x0) returned 11 [0046.031] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x23, lpName=0x224b8d0, cchName=0x104 | out: lpName="FTH") returned 0x0 [0046.031] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fth", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0046.031] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fth", cchWideChar=3, lpMultiByteStr=0x224c0c0, cbMultiByte=3, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fth", lpUsedDefaultChar=0x0) returned 3 [0046.031] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x24, lpName=0x224b8d0, cchName=0x104 | out: lpName="Function Discovery") returned 0x0 [0046.031] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="function discovery", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0046.031] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="function discovery", cchWideChar=18, lpMultiByteStr=0x224c108, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="function discovery", lpUsedDefaultChar=0x0) returned 18 [0046.031] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x25, lpName=0x224b8d0, cchName=0x104 | out: lpName="Fusion") returned 0x0 [0046.032] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fusion", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0046.032] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fusion", cchWideChar=6, lpMultiByteStr=0x224c0c0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fusion", lpUsedDefaultChar=0x0) returned 6 [0046.032] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x26, lpName=0x224b8d0, cchName=0x104 | out: lpName="GPUPipeline") returned 0x0 [0046.032] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gpupipeline", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0046.032] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gpupipeline", cchWideChar=11, lpMultiByteStr=0x224c108, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gpupipeline", lpUsedDefaultChar=0x0) returned 11 [0046.032] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x27, lpName=0x224b8d0, cchName=0x104 | out: lpName="HTMLHelp") returned 0x0 [0046.032] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="htmlhelp", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0046.032] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="htmlhelp", cchWideChar=8, lpMultiByteStr=0x224c0c0, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="htmlhelp", lpUsedDefaultChar=0x0) returned 8 [0046.032] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x28, lpName=0x224b8d0, cchName=0x104 | out: lpName="IdentityCRL") returned 0x0 [0046.032] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identitycrl", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0046.032] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identitycrl", cchWideChar=11, lpMultiByteStr=0x224c108, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="identitycrl", lpUsedDefaultChar=0x0) returned 11 [0046.032] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x29, lpName=0x224b8d0, cchName=0x104 | out: lpName="IdentityStore") returned 0x0 [0046.032] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identitystore", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0046.032] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="identitystore", cchWideChar=13, lpMultiByteStr=0x224c0c0, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="identitystore", lpUsedDefaultChar=0x0) returned 13 [0046.032] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2a, lpName=0x224b8d0, cchName=0x104 | out: lpName="IMAPI") returned 0x0 [0046.032] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imapi", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0046.032] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imapi", cchWideChar=5, lpMultiByteStr=0x224c108, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imapi", lpUsedDefaultChar=0x0) returned 5 [0046.033] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2b, lpName=0x224b8d0, cchName=0x104 | out: lpName="IMEJP") returned 0x0 [0046.033] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imejp", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0046.033] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imejp", cchWideChar=5, lpMultiByteStr=0x224c0c0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imejp", lpUsedDefaultChar=0x0) returned 5 [0046.033] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2c, lpName=0x224b8d0, cchName=0x104 | out: lpName="IMEKR") returned 0x0 [0046.033] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imekr", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0046.033] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imekr", cchWideChar=5, lpMultiByteStr=0x224c108, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imekr", lpUsedDefaultChar=0x0) returned 5 [0046.033] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2d, lpName=0x224b8d0, cchName=0x104 | out: lpName="IMETC") returned 0x0 [0046.033] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imetc", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0046.033] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="imetc", cchWideChar=5, lpMultiByteStr=0x224c0c0, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="imetc", lpUsedDefaultChar=0x0) returned 5 [0046.033] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2e, lpName=0x224b8d0, cchName=0x104 | out: lpName="Internet Account Manager") returned 0x0 [0046.033] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet account manager", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0046.033] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet account manager", cchWideChar=24, lpMultiByteStr=0x224c108, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet account manager", lpUsedDefaultChar=0x0) returned 24 [0046.033] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2f, lpName=0x224b8d0, cchName=0x104 | out: lpName="Internet Domains") returned 0x0 [0046.033] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet domains", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0046.033] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet domains", cchWideChar=16, lpMultiByteStr=0x224c0c0, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet domains", lpUsedDefaultChar=0x0) returned 16 [0046.034] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x30, lpName=0x224b8d0, cchName=0x104 | out: lpName="Internet Explorer") returned 0x0 [0046.034] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet explorer", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0046.034] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="internet explorer", cchWideChar=17, lpMultiByteStr=0x224c108, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="internet explorer", lpUsedDefaultChar=0x0) returned 17 [0046.034] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x31, lpName=0x224b8d0, cchName=0x104 | out: lpName="IsoBurn") returned 0x0 [0046.034] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="isoburn", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0046.034] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="isoburn", cchWideChar=7, lpMultiByteStr=0x224c0c0, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isoburn", lpUsedDefaultChar=0x0) returned 7 [0046.034] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x32, lpName=0x224b8d0, cchName=0x104 | out: lpName="Loki") returned 0x0 [0046.034] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="loki", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0046.034] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="loki", cchWideChar=4, lpMultiByteStr=0x224c108, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="loki", lpUsedDefaultChar=0x0) returned 4 [0046.034] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x33, lpName=0x224b8d0, cchName=0x104 | out: lpName="MediaCenterPeripheral") returned 0x0 [0046.034] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mediacenterperipheral", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0046.034] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x34, lpName=0x224b8d0, cchName=0x104 | out: lpName="MediaPlayer") returned 0x0 [0046.034] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x35, lpName=0x224b8d0, cchName=0x104 | out: lpName="MessengerService") returned 0x0 [0046.034] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x36, lpName=0x224b8d0, cchName=0x104 | out: lpName="Microsoft Reference") returned 0x0 [0046.034] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x37, lpName=0x224b8d0, cchName=0x104 | out: lpName="Microsoft SQL Server Compact Edition") returned 0x0 [0046.034] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x38, lpName=0x224b8d0, cchName=0x104 | out: lpName="MigWiz") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x39, lpName=0x224b8d0, cchName=0x104 | out: lpName="MMC") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3a, lpName=0x224b8d0, cchName=0x104 | out: lpName="Mobile") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3b, lpName=0x224b8d0, cchName=0x104 | out: lpName="MSBuild") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3c, lpName=0x224b8d0, cchName=0x104 | out: lpName="MSDE") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3d, lpName=0x224b8d0, cchName=0x104 | out: lpName="MSDTC") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3e, lpName=0x224b8d0, cchName=0x104 | out: lpName="MSF") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3f, lpName=0x224b8d0, cchName=0x104 | out: lpName="MSLicensing") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x40, lpName=0x224b8d0, cchName=0x104 | out: lpName="MSMQ") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x41, lpName=0x224b8d0, cchName=0x104 | out: lpName="MSN Apps") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x42, lpName=0x224b8d0, cchName=0x104 | out: lpName="MSOSOAP") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x43, lpName=0x224b8d0, cchName=0x104 | out: lpName="MSSearch36") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x44, lpName=0x224b8d0, cchName=0x104 | out: lpName="MSSQLServer") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x45, lpName=0x224b8d0, cchName=0x104 | out: lpName="Multimedia") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x46, lpName=0x224b8d0, cchName=0x104 | out: lpName="NapServer") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x47, lpName=0x224b8d0, cchName=0x104 | out: lpName="NET Framework Setup") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x48, lpName=0x224b8d0, cchName=0x104 | out: lpName="NetSh") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x49, lpName=0x224b8d0, cchName=0x104 | out: lpName="Network") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4a, lpName=0x224b8d0, cchName=0x104 | out: lpName="NetworkAccessProtection") returned 0x0 [0046.035] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4b, lpName=0x224b8d0, cchName=0x104 | out: lpName="Non-Driver Signing") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4c, lpName=0x224b8d0, cchName=0x104 | out: lpName="Notepad") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4d, lpName=0x224b8d0, cchName=0x104 | out: lpName="ODBC") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4e, lpName=0x224b8d0, cchName=0x104 | out: lpName="Office") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4f, lpName=0x224b8d0, cchName=0x104 | out: lpName="OfficeSoftwareProtectionPlatform") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x50, lpName=0x224b8d0, cchName=0x104 | out: lpName="Ole") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x51, lpName=0x224b8d0, cchName=0x104 | out: lpName="Outlook Express") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x52, lpName=0x224b8d0, cchName=0x104 | out: lpName="PLA") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x53, lpName=0x224b8d0, cchName=0x104 | out: lpName="PowerShell") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x54, lpName=0x224b8d0, cchName=0x104 | out: lpName="Print") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x55, lpName=0x224b8d0, cchName=0x104 | out: lpName="RADAR") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x56, lpName=0x224b8d0, cchName=0x104 | out: lpName="Ras") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x57, lpName=0x224b8d0, cchName=0x104 | out: lpName="RAS AutoDial") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x58, lpName=0x224b8d0, cchName=0x104 | out: lpName="Reliability Analysis") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x59, lpName=0x224b8d0, cchName=0x104 | out: lpName="RemovalTools") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5a, lpName=0x224b8d0, cchName=0x104 | out: lpName="RendezvousApps") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5b, lpName=0x224b8d0, cchName=0x104 | out: lpName="Router") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5c, lpName=0x224b8d0, cchName=0x104 | out: lpName="Rpc") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5d, lpName=0x224b8d0, cchName=0x104 | out: lpName="SchedulingAgent") returned 0x0 [0046.036] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5e, lpName=0x224b8d0, cchName=0x104 | out: lpName="Schema Library") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5f, lpName=0x224b8d0, cchName=0x104 | out: lpName="Security Center") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x60, lpName=0x224b8d0, cchName=0x104 | out: lpName="Sensors") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x61, lpName=0x224b8d0, cchName=0x104 | out: lpName="Shared") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x62, lpName=0x224b8d0, cchName=0x104 | out: lpName="Shared Tools") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x63, lpName=0x224b8d0, cchName=0x104 | out: lpName="Shared Tools Location") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x64, lpName=0x224b8d0, cchName=0x104 | out: lpName="SideShow") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x65, lpName=0x224b8d0, cchName=0x104 | out: lpName="SnippingTool") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x66, lpName=0x224b8d0, cchName=0x104 | out: lpName="Software") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x67, lpName=0x224b8d0, cchName=0x104 | out: lpName="Speech") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x68, lpName=0x224b8d0, cchName=0x104 | out: lpName="SQMClient") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x69, lpName=0x224b8d0, cchName=0x104 | out: lpName="Sync Framework") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6a, lpName=0x224b8d0, cchName=0x104 | out: lpName="Sysprep") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6b, lpName=0x224b8d0, cchName=0x104 | out: lpName="SystemCertificates") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6c, lpName=0x224b8d0, cchName=0x104 | out: lpName="TableTextService") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6d, lpName=0x224b8d0, cchName=0x104 | out: lpName="TabletTip") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6e, lpName=0x224b8d0, cchName=0x104 | out: lpName="Tcpip") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6f, lpName=0x224b8d0, cchName=0x104 | out: lpName="Terminal Server Client") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x70, lpName=0x224b8d0, cchName=0x104 | out: lpName="TermServLicensing") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x71, lpName=0x224b8d0, cchName=0x104 | out: lpName="TIP Shared") returned 0x0 [0046.037] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x72, lpName=0x224b8d0, cchName=0x104 | out: lpName="TPG") returned 0x0 [0046.038] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x73, lpName=0x224b8d0, cchName=0x104 | out: lpName="Tpm") returned 0x0 [0046.038] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x74, lpName=0x224b8d0, cchName=0x104 | out: lpName="Tracing") returned 0x0 [0046.038] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x75, lpName=0x224b8d0, cchName=0x104 | out: lpName="Transaction Server") returned 0x0 [0046.038] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x76, lpName=0x224b8d0, cchName=0x104 | out: lpName="TV System Services") returned 0x0 [0046.038] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x77, lpName=0x224b8d0, cchName=0x104 | out: lpName="uDRM") returned 0x0 [0046.038] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x78, lpName=0x224b8d0, cchName=0x104 | out: lpName="Updates") returned 0x0 [0046.038] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x79, lpName=0x224b8d0, cchName=0x104 | out: lpName="UPnP Device Host") returned 0x0 [0046.038] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7a, lpName=0x224b8d0, cchName=0x104 | out: lpName="VBA") returned 0x0 [0046.038] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7b, lpName=0x224b8d0, cchName=0x104 | out: lpName="Virtual Machine") returned 0x0 [0046.038] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7c, lpName=0x224b8d0, cchName=0x104 | out: lpName="VisualStudio") returned 0x0 [0046.038] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7d, lpName=0x224b8d0, cchName=0x104 | out: lpName="WAB") returned 0x0 [0046.038] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7e, lpName=0x224b8d0, cchName=0x104 | out: lpName="WBEM") returned 0x0 [0046.038] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7f, lpName=0x224b8d0, cchName=0x104 | out: lpName="WIMMount") returned 0x0 [0046.038] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x80, lpName=0x224b8d0, cchName=0x104 | out: lpName="Windows") returned 0x0 [0046.038] RegOpenKeyExW (in: hKey=0x3c, lpSubKey="Windows", ulOptions=0x0, samDesired=0x20109, phkResult=0x18f85c | out: phkResult=0x18f85c*=0xbc) returned 0x0 [0046.038] RegCloseKey (hKey=0x3c) returned 0x0 [0046.038] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x0, lpName=0x224b8d0, cchName=0x104 | out: lpName="CurrentVersion") returned 0x0 [0046.038] RegOpenKeyExW (in: hKey=0xbc, lpSubKey="CurrentVersion", ulOptions=0x0, samDesired=0x20109, phkResult=0x18f85c | out: phkResult=0x18f85c*=0x3c) returned 0x0 [0046.039] RegCloseKey (hKey=0xbc) returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x0, lpName=0x224b8d0, cchName=0x104 | out: lpName="App Management") returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1, lpName=0x224b8d0, cchName=0x104 | out: lpName="App Paths") returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x2, lpName=0x224b8d0, cchName=0x104 | out: lpName="Applets") returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x3, lpName=0x224b8d0, cchName=0x104 | out: lpName="Audio") returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x4, lpName=0x224b8d0, cchName=0x104 | out: lpName="Authentication") returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x5, lpName=0x224b8d0, cchName=0x104 | out: lpName="BitLocker") returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x6, lpName=0x224b8d0, cchName=0x104 | out: lpName="BITS") returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x7, lpName=0x224b8d0, cchName=0x104 | out: lpName="Component Based Servicing") returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x8, lpName=0x224b8d0, cchName=0x104 | out: lpName="Control Panel") returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x9, lpName=0x224b8d0, cchName=0x104 | out: lpName="Controls Folder") returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xa, lpName=0x224b8d0, cchName=0x104 | out: lpName="DateTime") returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xb, lpName=0x224b8d0, cchName=0x104 | out: lpName="Device Installer") returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xc, lpName=0x224b8d0, cchName=0x104 | out: lpName="Device Metadata") returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xd, lpName=0x224b8d0, cchName=0x104 | out: lpName="Diagnostics") returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xe, lpName=0x224b8d0, cchName=0x104 | out: lpName="DriverSearching") returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0xf, lpName=0x224b8d0, cchName=0x104 | out: lpName="EventCollector") returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x10, lpName=0x224b8d0, cchName=0x104 | out: lpName="EventForwarding") returned 0x0 [0046.039] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x11, lpName=0x224b8d0, cchName=0x104 | out: lpName="Explorer") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x12, lpName=0x224b8d0, cchName=0x104 | out: lpName="Ext") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x13, lpName=0x224b8d0, cchName=0x104 | out: lpName="GameUX") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x14, lpName=0x224b8d0, cchName=0x104 | out: lpName="Group Policy") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x15, lpName=0x224b8d0, cchName=0x104 | out: lpName="Hints") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x16, lpName=0x224b8d0, cchName=0x104 | out: lpName="HomeGroup") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x17, lpName=0x224b8d0, cchName=0x104 | out: lpName="HotStart") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x18, lpName=0x224b8d0, cchName=0x104 | out: lpName="IME") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x19, lpName=0x224b8d0, cchName=0x104 | out: lpName="Installer") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1a, lpName=0x224b8d0, cchName=0x104 | out: lpName="Internet Settings") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1b, lpName=0x224b8d0, cchName=0x104 | out: lpName="MCT") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1c, lpName=0x224b8d0, cchName=0x104 | out: lpName="Media Center") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1d, lpName=0x224b8d0, cchName=0x104 | out: lpName="MMDevices") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1e, lpName=0x224b8d0, cchName=0x104 | out: lpName="MSSHA") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x1f, lpName=0x224b8d0, cchName=0x104 | out: lpName="NetCache") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x20, lpName=0x224b8d0, cchName=0x104 | out: lpName="OEMInformation") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x21, lpName=0x224b8d0, cchName=0x104 | out: lpName="OOBE") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x22, lpName=0x224b8d0, cchName=0x104 | out: lpName="OptimalLayout") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x23, lpName=0x224b8d0, cchName=0x104 | out: lpName="Parental Controls") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x24, lpName=0x224b8d0, cchName=0x104 | out: lpName="Personalization") returned 0x0 [0046.040] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x25, lpName=0x224b8d0, cchName=0x104 | out: lpName="PhotoPropertyHandler") returned 0x0 [0046.041] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x26, lpName=0x224b8d0, cchName=0x104 | out: lpName="PnPSysprep") returned 0x0 [0046.041] RegEnumKeyW (in: hKey=0x3c, dwIndex=0x27, lpName=0x224b8d0, cchName=0x104 | out: lpName="Policies") returned 0x0 [0046.041] RegOpenKeyExW (in: hKey=0x3c, lpSubKey="Policies", ulOptions=0x0, samDesired=0x20109, phkResult=0x18f85c | out: phkResult=0x18f85c*=0xbc) returned 0x0 [0046.041] RegCloseKey (hKey=0x3c) returned 0x0 [0046.041] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x0, lpName=0x224b8d0, cchName=0x104 | out: lpName="ActiveDesktop") returned 0x0 [0046.041] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x1, lpName=0x224b8d0, cchName=0x104 | out: lpName="Attachments") returned 0x0 [0046.041] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x2, lpName=0x224b8d0, cchName=0x104 | out: lpName="Explorer") returned 0x0 [0046.041] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x3, lpName=0x224b8d0, cchName=0x104 | out: lpName="NonEnum") returned 0x0 [0046.041] RegEnumKeyW (in: hKey=0xbc, dwIndex=0x4, lpName=0x224b8d0, cchName=0x104 | out: lpName="System") returned 0x0 [0046.041] RegOpenKeyExW (in: hKey=0xbc, lpSubKey="System", ulOptions=0x0, samDesired=0x20109, phkResult=0x18f85c | out: phkResult=0x18f85c*=0x3c) returned 0x0 [0046.041] RegCloseKey (hKey=0xbc) returned 0x0 [0046.041] RegEnumValueA (in: hKey=0x3c, dwIndex=0x0, lpValueName=0x18f778, lpcchValueName=0x18f774, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ConsentPromptBehaviorAdmin", lpcchValueName=0x18f774, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0046.041] RegEnumValueA (in: hKey=0x3c, dwIndex=0x1, lpValueName=0x18f778, lpcchValueName=0x18f774, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ConsentPromptBehaviorUser", lpcchValueName=0x18f774, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0046.041] RegEnumValueA (in: hKey=0x3c, dwIndex=0x2, lpValueName=0x18f778, lpcchValueName=0x18f774, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableInstallerDetection", lpcchValueName=0x18f774, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0046.041] RegEnumValueA (in: hKey=0x3c, dwIndex=0x3, lpValueName=0x18f778, lpcchValueName=0x18f774, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableLUA", lpcchValueName=0x18f774, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0046.042] RegEnumValueA (in: hKey=0x3c, dwIndex=0x4, lpValueName=0x18f778, lpcchValueName=0x18f774, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableSecureUIAPaths", lpcchValueName=0x18f774, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0046.042] RegEnumValueA (in: hKey=0x3c, dwIndex=0x5, lpValueName=0x18f778, lpcchValueName=0x18f774, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableUIADesktopToggle", lpcchValueName=0x18f774, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0046.042] RegEnumValueA (in: hKey=0x3c, dwIndex=0x6, lpValueName=0x18f778, lpcchValueName=0x18f774, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="EnableVirtualization", lpcchValueName=0x18f774, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0046.042] RegEnumValueA (in: hKey=0x3c, dwIndex=0x7, lpValueName=0x18f778, lpcchValueName=0x18f774, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="PromptOnSecureDesktop", lpcchValueName=0x18f774, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0046.042] RegEnumValueA (in: hKey=0x3c, dwIndex=0x8, lpValueName=0x18f778, lpcchValueName=0x18f774, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="ValidateAdminCodeSignatures", lpcchValueName=0x18f774, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0046.042] RegEnumValueA (in: hKey=0x3c, dwIndex=0x9, lpValueName=0x18f778, lpcchValueName=0x18f774, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="dontdisplaylastusername", lpcchValueName=0x18f774, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0046.042] RegEnumValueA (in: hKey=0x3c, dwIndex=0xa, lpValueName=0x18f778, lpcchValueName=0x18f774, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="legalnoticecaption", lpcchValueName=0x18f774, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0046.042] RegEnumValueA (in: hKey=0x3c, dwIndex=0xb, lpValueName=0x18f778, lpcchValueName=0x18f774, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="legalnoticetext", lpcchValueName=0x18f774, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0046.042] RegEnumValueA (in: hKey=0x3c, dwIndex=0xc, lpValueName=0x18f778, lpcchValueName=0x18f774, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="scforceoption", lpcchValueName=0x18f774, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0046.042] RegEnumValueA (in: hKey=0x3c, dwIndex=0xd, lpValueName=0x18f778, lpcchValueName=0x18f774, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="shutdownwithoutlogon", lpcchValueName=0x18f774, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0046.042] RegEnumValueA (in: hKey=0x3c, dwIndex=0xe, lpValueName=0x18f778, lpcchValueName=0x18f774, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="undockwithoutlogon", lpcchValueName=0x18f774, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0046.042] RegEnumValueA (in: hKey=0x3c, dwIndex=0xf, lpValueName=0x18f778, lpcchValueName=0x18f774, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="FilterAdministratorToken", lpcchValueName=0x18f774, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0046.042] RegEnumValueA (in: hKey=0x3c, dwIndex=0x10, lpValueName=0x18f778, lpcchValueName=0x18f774, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="FilterAdministratorToken", lpcchValueName=0x18f774, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x103 [0046.042] RegQueryValueExA (in: hKey=0x3c, lpValueName="EnableLUA", lpReserved=0x0, lpType=0x18f884, lpData=0x0, lpcbData=0x18f88c*=0x0 | out: lpType=0x18f884*=0x4, lpData=0x0, lpcbData=0x18f88c*=0x4) returned 0x0 [0046.042] RegQueryValueExA (in: hKey=0x3c, lpValueName="EnableLUA", lpReserved=0x0, lpType=0x18f884, lpData=0x224c420, lpcbData=0x18f88c*=0x4 | out: lpType=0x18f884*=0x4, lpData=0x224c420*=0x1, lpcbData=0x18f88c*=0x4) returned 0x0 [0046.043] RegCloseKey (hKey=0x3c) returned 0x0 [0046.043] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18f900 | out: TokenHandle=0x18f900*=0x3c) returned 1 [0046.043] GetTokenInformation (in: TokenHandle=0x3c, TokenInformationClass=0x14, TokenInformation=0x18f8fc, TokenInformationLength=0x4, ReturnLength=0x18f8f8 | out: TokenInformation=0x18f8fc, ReturnLength=0x18f8f8) returned 1 [0046.043] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18f8ec | out: TokenHandle=0x18f8ec*=0xbc) returned 1 [0046.043] GetTokenInformation (in: TokenHandle=0xbc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18f8e8 | out: TokenInformation=0x0, ReturnLength=0x18f8e8) returned 0 [0046.043] GetTokenInformation (in: TokenHandle=0xbc, TokenInformationClass=0x19, TokenInformation=0x224c588, TokenInformationLength=0x14, ReturnLength=0x18f8e8 | out: TokenInformation=0x224c588, ReturnLength=0x18f8e8) returned 1 [0046.043] GetSidSubAuthorityCount (pSid=0x224c590*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x224c591 [0046.043] GetSidSubAuthority (pSid=0x224c590*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x224c598 [0046.043] NtClose (Handle=0xbc) returned 0x0 [0046.043] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0046.088] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x6ba470, lpbSaclPresent=0x18f9a8, pSacl=0x18fa00, lpbSaclDefaulted=0x18f9a8 | out: lpbSaclPresent=0x18f9a8, pSacl=0x18fa00, lpbSaclDefaulted=0x18f9a8) returned 1 [0046.088] CreateMutexA (lpMutexAttributes=0x18f9f4, bInitialOwner=0, lpName="") returned 0x100 [0046.088] GetLastError () returned 0x0 [0046.088] LocalFree (hMem=0x6ba470) returned 0x0 [0046.088] CryptAcquireContextW (in: phProv=0x18fa20, szContainer=0x0, szProvider="Microsoft Enhanced Cryptographic Provider v1.0", dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18fa20*=0x6b8f30) returned 1 [0046.100] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0046.101] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x6ba470, lpbSaclPresent=0x18f9c4, pSacl=0x18fa28, lpbSaclDefaulted=0x18f9c4 | out: lpbSaclPresent=0x18f9c4, pSacl=0x18fa28, lpbSaclDefaulted=0x18f9c4) returned 1 [0046.101] CreateEventA (lpEventAttributes=0x18fa1c, bManualReset=1, bInitialState=0, lpName="") returned 0x104 [0046.101] GetLastError () returned 0x0 [0046.101] LocalFree (hMem=0x6ba470) returned 0x0 [0046.101] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0046.102] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x6ba470, lpbSaclPresent=0x18f9c4, pSacl=0x18fa28, lpbSaclDefaulted=0x18f9c4 | out: lpbSaclPresent=0x18f9c4, pSacl=0x18fa28, lpbSaclDefaulted=0x18f9c4) returned 1 [0046.102] CreateEventA (lpEventAttributes=0x18fa1c, bManualReset=1, bInitialState=0, lpName="") returned 0x108 [0046.102] GetLastError () returned 0x0 [0046.102] LocalFree (hMem=0x6ba470) returned 0x0 [0046.102] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0046.102] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x6ba470, lpbSaclPresent=0x18f9c4, pSacl=0x18fa28, lpbSaclDefaulted=0x18f9c4 | out: lpbSaclPresent=0x18f9c4, pSacl=0x18fa28, lpbSaclDefaulted=0x18f9c4) returned 1 [0046.102] CreateEventA (lpEventAttributes=0x18fa1c, bManualReset=1, bInitialState=0, lpName="") returned 0x110 [0046.102] GetLastError () returned 0x0 [0046.102] LocalFree (hMem=0x6ba470) returned 0x0 [0046.103] ExpandEnvironmentStringsA (in: lpSrc="%ProgramData%\\Microsoft\\Windows\\WER\\ReportQueue\\", lpDst=0x1ea2558, nSize=0x2800 | out: lpDst="C:\\ProgramData\\Microsoft\\Windows\\WER\\ReportQueue\\") returned 0x32 [0046.103] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1ea2558, cbMultiByte=49, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 49 [0046.103] ExpandEnvironmentStringsA (in: lpSrc="%windir%", lpDst=0x1ea2558, nSize=0x2800 | out: lpDst="C:\\Windows") returned 0xb [0046.103] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1ea2558, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0046.103] ExpandEnvironmentStringsA (in: lpSrc="%temp%", lpDst=0x1ea2558, nSize=0x2800 | out: lpDst="C:\\Windows\\TEMP") returned 0x10 [0046.103] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1ea2558, cbMultiByte=15, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 15 [0046.103] GetSystemWow64DirectoryW (in: lpBuffer=0x1ea77f8, uSize=0x40 | out: lpBuffer="C:\\Windows\\SysWOW64") returned 0x13 [0046.103] FindFirstFileExW (in: lpFileName="C:\\Windows\\SysWOW64\\*.dll", fInfoLevelId=0x1, lpFindFileData=0x18f754, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x18f754) returned 0x6ba408 [0046.103] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.104] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.104] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.105] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.106] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.107] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.108] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.109] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.110] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.111] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.112] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.112] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.112] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.112] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.112] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.112] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.112] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.112] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.112] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.112] FindNextFileW (in: hFindFile=0x6ba408, lpFindFileData=0x18f754 | out: lpFindFileData=0x18f754) returned 1 [0046.112] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="crypt32.dll", BaseAddress=0x18f9c8 | out: BaseAddress=0x18f9c8*=0x75720000) returned 0x0 [0046.114] FindClose (in: hFindFile=0x6ba408 | out: hFindFile=0x6ba408) returned 1 [0046.114] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdXOKTkkjURSPoRv6ciKwuUyK8\r\n+7EiuEHzxMGanjcW6+UbzAT1+MKH43GnfnWdTedvkgYD5Zg8lNUasTJ0FdRzHLDO\r\np5ciKIG0vITHV9kDtV/NtU2M/uKYO51wmO4fC2eLWZRS6ru7CQNJYfId0nXGFmU6\r\n3tqF+NLM1KW2f/gHnwIDAQAB\r\n-----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x0, pcbBinary=0x18f9f0, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x0, pcbBinary=0x18f9f0, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0046.114] CryptStringToBinaryA (in: pszString="-----BEGIN PUBLIC KEY-----\r\nMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdXOKTkkjURSPoRv6ciKwuUyK8\r\n+7EiuEHzxMGanjcW6+UbzAT1+MKH43GnfnWdTedvkgYD5Zg8lNUasTJ0FdRzHLDO\r\np5ciKIG0vITHV9kDtV/NtU2M/uKYO51wmO4fC2eLWZRS6ru7CQNJYfId0nXGFmU6\r\n3tqF+NLM1KW2f/gHnwIDAQAB\r\n-----END PUBLIC KEY-----", cchString=0x0, dwFlags=0x0, pbBinary=0x1ea77f8, pcbBinary=0x18f9f0, pdwSkip=0x0, pdwFlags=0x0 | out: pbBinary=0x1ea77f8, pcbBinary=0x18f9f0, pdwSkip=0x0, pdwFlags=0x0) returned 1 [0046.114] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x8, pbEncoded=0x1ea77f8, cbEncoded=0xa2, dwFlags=0x0, pvStructInfo=0x0, pcbStructInfo=0x18f9f0 | out: pvStructInfo=0x0, pcbStructInfo=0x18f9f0) returned 1 [0046.116] CryptDecodeObject (in: dwCertEncodingType=0x10001, lpszStructType=0x8, pbEncoded=0x1ea77f8, cbEncoded=0xa2, dwFlags=0x0, pvStructInfo=0x1ea7e88, pcbStructInfo=0x18f9f0 | out: pvStructInfo=0x1ea7e88, pcbStructInfo=0x18f9f0) returned 1 [0046.116] CryptImportPublicKeyInfo (in: hCryptProv=0x6b8f30, dwCertEncodingType=0x10001, pInfo=0x1ea7e88*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x1ea7eb8*, PublicKey.cbData=0x8c, PublicKey.pbData=0x1ea7ec0*, PublicKey.cUnusedBits=0x0), phKey=0x18f9f8 | out: phKey=0x18f9f8*=0x6ba408) returned 1 [0046.117] ReleaseMutex (hMutex=0x100) returned 1 [0046.117] StartServiceCtrlDispatcherW (lpServiceTable=0x18fa68*(lpServiceName="", lpServiceProc=0x35f270)) returned 0 [0046.120] GetLastError () returned 0x427 [0046.120] GetCommandLineW () returned="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\\\8DAT2H~1:bin" [0046.120] CommandLineToArgvW (in: lpCmdLine="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\\\8DAT2H~1:bin", pNumArgs=0x18fa58 | out: pNumArgs=0x18fa58) returned 0x6d20e8*="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\\\8DAT2H~1:bin" [0046.120] Wow64DisableWow64FsRedirection (in: OldValue=0x18fa38 | out: OldValue=0x18fa38*=0x0) returned 1 [0046.120] CryptAcquireContextW (in: phProv=0x18f894, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f894*=0x6d2158) returned 1 [0046.121] CryptCreateHash (in: hProv=0x6d2158, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x18f894 | out: phHash=0x18f894) returned 1 [0046.121] CryptHashData (hHash=0x6d2930, pbData=0x224c198, dwDataLen=0x16, dwFlags=0x0) returned 1 [0046.121] CryptGetHashParam (in: hHash=0x6d2930, dwParam=0x4, pbData=0x18f898, pdwDataLen=0x18f8a4, dwFlags=0x0 | out: pbData=0x18f898, pdwDataLen=0x18f8a4) returned 1 [0046.121] CryptGetHashParam (in: hHash=0x6d2930, dwParam=0x2, pbData=0x224c9c0, pdwDataLen=0x18f898, dwFlags=0x0 | out: pbData=0x224c9c0, pdwDataLen=0x18f898) returned 1 [0046.121] CryptDestroyHash (hHash=0x6d2930) returned 1 [0046.121] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0046.128] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0046.128] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x6d1c98, lpbSaclPresent=0x18f84c, pSacl=0x18f8b0, lpbSaclDefaulted=0x18f84c | out: lpbSaclPresent=0x18f84c, pSacl=0x18f8b0, lpbSaclDefaulted=0x18f84c) returned 1 [0046.128] CreateEventA (lpEventAttributes=0x18f8a4, bManualReset=1, bInitialState=0, lpName="{06C11002-99B9-5502-651C-628268B034F2}") returned 0x118 [0046.128] GetLastError () returned 0x0 [0046.129] SetSecurityInfo () returned 0x0 [0046.131] LocalFree (hMem=0x6d1c98) returned 0x0 [0046.131] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0046.132] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x6d1c98, lpbSaclPresent=0x18f84c, pSacl=0x18f8b0, lpbSaclDefaulted=0x18f84c | out: lpbSaclPresent=0x18f84c, pSacl=0x18f8b0, lpbSaclDefaulted=0x18f84c) returned 1 [0046.132] CreateEventA (lpEventAttributes=0x18f8a4, bManualReset=1, bInitialState=0, lpName="") returned 0x11c [0046.132] GetLastError () returned 0x0 [0046.132] LocalFree (hMem=0x6d1c98) returned 0x0 [0046.132] CryptAcquireContextW (in: phProv=0x18f894, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f894*=0x6d2158) returned 1 [0046.132] CryptCreateHash (in: hProv=0x6d2158, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x18f894 | out: phHash=0x18f894) returned 1 [0046.132] CryptHashData (hHash=0x6d21e0, pbData=0x224c198, dwDataLen=0xb, dwFlags=0x0) returned 1 [0046.132] CryptGetHashParam (in: hHash=0x6d21e0, dwParam=0x4, pbData=0x18f898, pdwDataLen=0x18f8a4, dwFlags=0x0 | out: pbData=0x18f898, pdwDataLen=0x18f8a4) returned 1 [0046.132] CryptGetHashParam (in: hHash=0x6d21e0, dwParam=0x2, pbData=0x1ea2840, pdwDataLen=0x18f898, dwFlags=0x0 | out: pbData=0x1ea2840, pdwDataLen=0x18f898) returned 1 [0046.133] CryptDestroyHash (hHash=0x6d21e0) returned 1 [0046.133] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0046.133] OpenMutexA (dwDesiredAccess=0x100002, bInheritHandle=0, lpName="Global\\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E}") returned 0x0 [0046.133] GetLastError () returned 0x5 [0046.133] OpenMutexA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="Global\\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E}") returned 0x0 [0046.133] OpenMutexA (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Global\\{FD64C8AB-F74D-C8D4-F31D-96A1BB45705E}") returned 0x148 [0046.133] WaitForSingleObject (hHandle=0x148, dwMilliseconds=0x64) returned 0x102 [0046.237] ReleaseMutex (hMutex=0x148) returned 0 [0046.237] GetLastError () returned 0x120 [0046.237] GetLogicalDrives () returned 0x4 [0046.238] GetDriveTypeW (lpRootPathName="C:") returned 0x3 [0046.238] GetSystemDirectoryW (in: lpBuffer=0x1ea77f8, uSize=0x40 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0046.238] GetShortPathNameW (in: lpszLongPath="C:\\Windows\\TEMP", lpszShortPath=0x1ea3960, cchBuffer=0x100 | out: lpszShortPath="C:\\Windows\\TEMP") returned 0xf [0046.238] CryptAcquireContextW (in: phProv=0x18f638, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f638*=0x6d2158) returned 1 [0046.239] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f64c | out: pbBuffer=0x18f64c) returned 1 [0046.239] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0046.239] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0046.239] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0046.239] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0046.239] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0046.240] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0046.240] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0046.240] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0046.241] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0046.241] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0046.241] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0046.241] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0046.241] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0046.241] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0046.242] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0046.242] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0046.242] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0046.242] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0046.242] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0046.242] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP", lpPrefixString="qF", uUnique=0x0, lpTempFileName=0x1ea3558 | out: lpTempFileName="C:\\Windows\\TEMP\\qFA91A.tmp" (normalized: "c:\\windows\\temp\\qfa91a.tmp")) returned 0xa91a [0046.243] GetShortPathNameW (in: lpszLongPath="C:\\Windows\\TEMP\\qFA91A.tmp", lpszShortPath=0x1ea3960, cchBuffer=0x100 | out: lpszShortPath="C:\\Windows\\TEMP\\qFA91A.tmp") returned 0x1a [0046.243] CryptAcquireContextW (in: phProv=0x18f638, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f638*=0x6d2158) returned 1 [0046.243] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f64c | out: pbBuffer=0x18f64c) returned 1 [0046.244] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0046.244] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0046.244] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0046.244] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0046.244] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0046.245] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0046.245] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0046.245] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0046.245] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0046.245] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0046.245] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP", lpPrefixString="4", uUnique=0x0, lpTempFileName=0x1ea3558 | out: lpTempFileName="C:\\Windows\\TEMP\\4A91B.tmp" (normalized: "c:\\windows\\temp\\4a91b.tmp")) returned 0xa91b [0046.245] GetShortPathNameW (in: lpszLongPath="C:\\Windows\\TEMP\\4A91B.tmp", lpszShortPath=0x1ea3d68, cchBuffer=0x100 | out: lpszShortPath="C:\\Windows\\TEMP\\4A91B.tmp") returned 0x19 [0046.246] CreateFileW (lpFileName="C:\\Windows\\TEMP\\qFA91A.tmp" (normalized: "c:\\windows\\temp\\qfa91a.tmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x18f738, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0046.246] CreateFileW (lpFileName="C:\\Windows\\TEMP\\4A91B.tmp" (normalized: "c:\\windows\\temp\\4a91b.tmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x18f738, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0046.246] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\arp.exe", lpCommandLine="C:\\Windows\\system32\\arp.exe -a", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x14c, hStdError=0x150), lpProcessInformation=0x18f728 | out: lpCommandLine="C:\\Windows\\system32\\arp.exe -a", lpProcessInformation=0x18f728*(hProcess=0x158, hThread=0x154, dwProcessId=0xaa8, dwThreadId=0xaac)) returned 1 [0046.483] NtClose (Handle=0x154) returned 0x0 [0046.484] WaitForSingleObject (hHandle=0x158, dwMilliseconds=0xea60) returned 0x0 [0047.720] NtClose (Handle=0x14c) returned 0x0 [0047.720] NtClose (Handle=0x150) returned 0x0 [0047.720] CreateFileW (lpFileName="C:\\Windows\\TEMP\\qFA91A.tmp" (normalized: "c:\\windows\\temp\\qfa91a.tmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0047.721] SetFileTime (hFile=0x150, lpCreationTime=0x0, lpLastAccessTime=0x18f684, lpLastWriteTime=0x18f684) returned 0 [0047.721] GetFileSize (in: hFile=0x150, lpFileSizeHigh=0x18f670 | out: lpFileSizeHigh=0x18f670*=0x0) returned 0x179 [0047.721] SetFilePointer (in: hFile=0x150, lDistanceToMove=0, lpDistanceToMoveHigh=0x18f67c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18f67c*=0) returned 0x0 [0047.721] ReadFile (in: hFile=0x150, lpBuffer=0x1ea36e8, nNumberOfBytesToRead=0x179, lpNumberOfBytesRead=0x18f6b0, lpOverlapped=0x0 | out: lpBuffer=0x1ea36e8*, lpNumberOfBytesRead=0x18f6b0*=0x179, lpOverlapped=0x0) returned 1 [0047.721] SetFileAttributesW (lpFileName="C:\\Windows\\TEMP\\qFA91A.tmp", dwFileAttributes=0x80) returned 1 [0047.721] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\qFA91A.tmp" (normalized: "c:\\windows\\temp\\qfa91a.tmp")) returned 1 [0047.722] GetFileAttributesExW (in: lpFileName="C:\\Windows\\TEMP\\4A91B.tmp" (normalized: "c:\\windows\\temp\\4a91b.tmp"), fInfoLevelId=0x0, lpFileInformation=0x18f680 | out: lpFileInformation=0x18f680*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2fee7730, ftCreationTime.dwHighDateTime=0x1d4af0a, ftLastAccessTime.dwLowDateTime=0x2fee7730, ftLastAccessTime.dwHighDateTime=0x1d4af0a, ftLastWriteTime.dwLowDateTime=0x2fee7730, ftLastWriteTime.dwHighDateTime=0x1d4af0a, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0047.722] SetFileAttributesW (lpFileName="C:\\Windows\\TEMP\\4A91B.tmp", dwFileAttributes=0x80) returned 1 [0047.722] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\4A91B.tmp" (normalized: "c:\\windows\\temp\\4a91b.tmp")) returned 1 [0047.722] CryptAcquireContextW (in: phProv=0x18f638, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f638*=0x6d2158) returned 1 [0047.723] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f64c | out: pbBuffer=0x18f64c) returned 1 [0047.723] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0047.723] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0047.724] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0047.724] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0047.724] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0047.724] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0047.724] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0047.724] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0047.725] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0047.725] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0047.725] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0047.725] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0047.725] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0047.725] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP", lpPrefixString="jPE", uUnique=0x0, lpTempFileName=0x1ea4df8 | out: lpTempFileName="C:\\Windows\\TEMP\\jPEAEC7.tmp" (normalized: "c:\\windows\\temp\\jpeaec7.tmp")) returned 0xaec7 [0047.726] GetShortPathNameW (in: lpszLongPath="C:\\Windows\\TEMP\\jPEAEC7.tmp", lpszShortPath=0x1ea5200, cchBuffer=0x100 | out: lpszShortPath="C:\\Windows\\TEMP\\jPEAEC7.tmp") returned 0x1b [0047.726] CryptAcquireContextW (in: phProv=0x18f638, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f638*=0x6d2158) returned 1 [0047.726] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f64c | out: pbBuffer=0x18f64c) returned 1 [0047.726] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0047.726] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0047.727] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0047.727] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0047.727] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0047.728] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0047.728] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0047.728] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0047.728] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0047.728] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0047.728] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0047.729] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0047.729] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0047.729] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0047.729] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0047.729] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0047.729] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP", lpPrefixString="XA9", uUnique=0x0, lpTempFileName=0x1ea4df8 | out: lpTempFileName="C:\\Windows\\TEMP\\XA9AED7.tmp" (normalized: "c:\\windows\\temp\\xa9aed7.tmp")) returned 0xaed7 [0047.730] GetShortPathNameW (in: lpszLongPath="C:\\Windows\\TEMP\\XA9AED7.tmp", lpszShortPath=0x1ea5608, cchBuffer=0x100 | out: lpszShortPath="C:\\Windows\\TEMP\\XA9AED7.tmp") returned 0x1b [0047.730] CreateFileW (lpFileName="C:\\Windows\\TEMP\\jPEAEC7.tmp" (normalized: "c:\\windows\\temp\\jpeaec7.tmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x18f738, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0047.730] CreateFileW (lpFileName="C:\\Windows\\TEMP\\XA9AED7.tmp" (normalized: "c:\\windows\\temp\\xa9aed7.tmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x18f738, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0047.730] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\nslookup.exe", lpCommandLine="C:\\Windows\\system32\\nslookup.exe 192.168.0.1", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x158, hStdError=0x150), lpProcessInformation=0x18f728 | out: lpCommandLine="C:\\Windows\\system32\\nslookup.exe 192.168.0.1", lpProcessInformation=0x18f728*(hProcess=0x154, hThread=0x14c, dwProcessId=0xac8, dwThreadId=0xacc)) returned 1 [0048.110] NtClose (Handle=0x14c) returned 0x0 [0048.110] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xea60) returned 0x0 [0048.740] NtClose (Handle=0x158) returned 0x0 [0048.741] NtClose (Handle=0x150) returned 0x0 [0048.741] CreateFileW (lpFileName="C:\\Windows\\TEMP\\jPEAEC7.tmp" (normalized: "c:\\windows\\temp\\jpeaec7.tmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0048.741] SetFileTime (hFile=0x150, lpCreationTime=0x0, lpLastAccessTime=0x18f684, lpLastWriteTime=0x18f684) returned 0 [0048.741] GetFileSize (in: hFile=0x150, lpFileSizeHigh=0x18f670 | out: lpFileSizeHigh=0x18f670*=0x0) returned 0x2b [0048.741] SetFilePointer (in: hFile=0x150, lDistanceToMove=0, lpDistanceToMoveHigh=0x18f67c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18f67c*=0) returned 0x0 [0048.741] ReadFile (in: hFile=0x150, lpBuffer=0x1ea33c8, nNumberOfBytesToRead=0x2b, lpNumberOfBytesRead=0x18f6b0, lpOverlapped=0x0 | out: lpBuffer=0x1ea33c8*, lpNumberOfBytesRead=0x18f6b0*=0x2b, lpOverlapped=0x0) returned 1 [0048.741] SetFileAttributesW (lpFileName="C:\\Windows\\TEMP\\jPEAEC7.tmp", dwFileAttributes=0x80) returned 1 [0048.742] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\jPEAEC7.tmp" (normalized: "c:\\windows\\temp\\jpeaec7.tmp")) returned 1 [0048.743] GetFileAttributesExW (in: lpFileName="C:\\Windows\\TEMP\\XA9AED7.tmp" (normalized: "c:\\windows\\temp\\xa9aed7.tmp"), fInfoLevelId=0x0, lpFileInformation=0x18f680 | out: lpFileInformation=0x18f680*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x30ce3870, ftCreationTime.dwHighDateTime=0x1d4af0a, ftLastAccessTime.dwLowDateTime=0x30ce3870, ftLastAccessTime.dwHighDateTime=0x1d4af0a, ftLastWriteTime.dwLowDateTime=0x315d0af0, ftLastWriteTime.dwHighDateTime=0x1d4af0a, nFileSizeHigh=0x0, nFileSizeLow=0x3a)) returned 1 [0048.743] SetFileAttributesW (lpFileName="C:\\Windows\\TEMP\\XA9AED7.tmp", dwFileAttributes=0x80) returned 1 [0048.743] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\XA9AED7.tmp" (normalized: "c:\\windows\\temp\\xa9aed7.tmp")) returned 1 [0048.744] CryptAcquireContextW (in: phProv=0x18f638, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f638*=0x6d2158) returned 1 [0048.744] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f64c | out: pbBuffer=0x18f64c) returned 1 [0048.744] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0048.744] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0048.745] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0048.745] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0048.745] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0048.745] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0048.745] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0048.745] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0048.746] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0048.746] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0048.746] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP", lpPrefixString="Ool", uUnique=0x0, lpTempFileName=0x1ea4df8 | out: lpTempFileName="C:\\Windows\\TEMP\\OolB290.tmp" (normalized: "c:\\windows\\temp\\oolb290.tmp")) returned 0xb290 [0048.746] GetShortPathNameW (in: lpszLongPath="C:\\Windows\\TEMP\\OolB290.tmp", lpszShortPath=0x1ea5200, cchBuffer=0x100 | out: lpszShortPath="C:\\Windows\\TEMP\\OolB290.tmp") returned 0x1b [0048.747] CryptAcquireContextW (in: phProv=0x18f638, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f638*=0x6d2158) returned 1 [0048.747] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f64c | out: pbBuffer=0x18f64c) returned 1 [0048.747] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0048.747] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0048.748] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0048.748] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0048.748] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0048.748] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0048.748] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0048.748] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0048.749] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0048.749] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0048.749] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0048.749] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0048.749] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0048.749] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0048.750] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0048.750] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0048.750] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0048.750] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0048.750] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0048.750] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0048.751] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0048.751] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0048.751] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0048.752] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0048.752] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0048.752] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0048.752] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0048.752] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0048.752] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0048.753] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0048.753] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0048.753] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP", lpPrefixString="wLa", uUnique=0x0, lpTempFileName=0x1ea4df8 | out: lpTempFileName="C:\\Windows\\TEMP\\wLaB291.tmp" (normalized: "c:\\windows\\temp\\wlab291.tmp")) returned 0xb291 [0048.753] GetShortPathNameW (in: lpszLongPath="C:\\Windows\\TEMP\\wLaB291.tmp", lpszShortPath=0x1ea5608, cchBuffer=0x100 | out: lpszShortPath="C:\\Windows\\TEMP\\wLaB291.tmp") returned 0x1b [0048.753] CreateFileW (lpFileName="C:\\Windows\\TEMP\\OolB290.tmp" (normalized: "c:\\windows\\temp\\oolb290.tmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x18f738, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0048.753] CreateFileW (lpFileName="C:\\Windows\\TEMP\\wLaB291.tmp" (normalized: "c:\\windows\\temp\\wlab291.tmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x18f738, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0048.753] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\nslookup.exe", lpCommandLine="C:\\Windows\\system32\\nslookup.exe 192.168.0.255", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x154, hStdError=0x150), lpProcessInformation=0x18f728 | out: lpCommandLine="C:\\Windows\\system32\\nslookup.exe 192.168.0.255", lpProcessInformation=0x18f728*(hProcess=0x14c, hThread=0x158, dwProcessId=0xae0, dwThreadId=0xae4)) returned 1 [0048.756] NtClose (Handle=0x158) returned 0x0 [0048.756] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xea60) returned 0x0 [0049.100] NtClose (Handle=0x154) returned 0x0 [0049.101] NtClose (Handle=0x150) returned 0x0 [0049.102] CreateFileW (lpFileName="C:\\Windows\\TEMP\\OolB290.tmp" (normalized: "c:\\windows\\temp\\oolb290.tmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0049.102] SetFileTime (hFile=0x150, lpCreationTime=0x0, lpLastAccessTime=0x18f684, lpLastWriteTime=0x18f684) returned 0 [0049.102] GetFileSize (in: hFile=0x150, lpFileSizeHigh=0x18f670 | out: lpFileSizeHigh=0x18f670*=0x0) returned 0x2b [0049.102] SetFilePointer (in: hFile=0x150, lDistanceToMove=0, lpDistanceToMoveHigh=0x18f67c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18f67c*=0) returned 0x0 [0049.102] ReadFile (in: hFile=0x150, lpBuffer=0x1ea2e70, nNumberOfBytesToRead=0x2b, lpNumberOfBytesRead=0x18f6b0, lpOverlapped=0x0 | out: lpBuffer=0x1ea2e70*, lpNumberOfBytesRead=0x18f6b0*=0x2b, lpOverlapped=0x0) returned 1 [0049.102] SetFileAttributesW (lpFileName="C:\\Windows\\TEMP\\OolB290.tmp", dwFileAttributes=0x80) returned 1 [0049.102] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\OolB290.tmp" (normalized: "c:\\windows\\temp\\oolb290.tmp")) returned 1 [0049.103] GetFileAttributesExW (in: lpFileName="C:\\Windows\\TEMP\\wLaB291.tmp" (normalized: "c:\\windows\\temp\\wlab291.tmp"), fInfoLevelId=0x0, lpFileInformation=0x18f680 | out: lpFileInformation=0x18f680*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x315f6c50, ftCreationTime.dwHighDateTime=0x1d4af0a, ftLastAccessTime.dwLowDateTime=0x315f6c50, ftLastAccessTime.dwHighDateTime=0x1d4af0a, ftLastWriteTime.dwLowDateTime=0x31962bf0, ftLastWriteTime.dwHighDateTime=0x1d4af0a, nFileSizeHigh=0x0, nFileSizeLow=0x3c)) returned 1 [0049.103] SetFileAttributesW (lpFileName="C:\\Windows\\TEMP\\wLaB291.tmp", dwFileAttributes=0x80) returned 1 [0049.103] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\wLaB291.tmp" (normalized: "c:\\windows\\temp\\wlab291.tmp")) returned 1 [0049.104] CryptAcquireContextW (in: phProv=0x18f638, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f638*=0x6d2158) returned 1 [0049.104] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f64c | out: pbBuffer=0x18f64c) returned 1 [0049.104] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0049.104] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0049.105] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0049.105] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0049.105] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0049.105] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0049.105] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0049.105] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0049.106] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0049.106] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0049.106] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0049.106] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0049.106] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0049.106] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0049.107] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0049.107] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0049.107] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0049.107] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0049.107] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0049.107] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP", lpPrefixString="Etc", uUnique=0x0, lpTempFileName=0x1ea4df8 | out: lpTempFileName="C:\\Windows\\TEMP\\EtcB3F9.tmp" (normalized: "c:\\windows\\temp\\etcb3f9.tmp")) returned 0xb3f9 [0049.108] GetShortPathNameW (in: lpszLongPath="C:\\Windows\\TEMP\\EtcB3F9.tmp", lpszShortPath=0x1ea5200, cchBuffer=0x100 | out: lpszShortPath="C:\\Windows\\TEMP\\EtcB3F9.tmp") returned 0x1b [0049.108] CryptAcquireContextW (in: phProv=0x18f638, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f638*=0x6d2158) returned 1 [0049.109] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f64c | out: pbBuffer=0x18f64c) returned 1 [0049.109] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0049.109] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0049.109] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0049.109] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0049.109] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0049.110] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0049.110] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0049.110] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP", lpPrefixString="cD", uUnique=0x0, lpTempFileName=0x1ea4df8 | out: lpTempFileName="C:\\Windows\\TEMP\\cDB3FA.tmp" (normalized: "c:\\windows\\temp\\cdb3fa.tmp")) returned 0xb3fa [0049.110] GetShortPathNameW (in: lpszLongPath="C:\\Windows\\TEMP\\cDB3FA.tmp", lpszShortPath=0x1ea5608, cchBuffer=0x100 | out: lpszShortPath="C:\\Windows\\TEMP\\cDB3FA.tmp") returned 0x1a [0049.110] CreateFileW (lpFileName="C:\\Windows\\TEMP\\EtcB3F9.tmp" (normalized: "c:\\windows\\temp\\etcb3f9.tmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x18f738, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0049.110] CreateFileW (lpFileName="C:\\Windows\\TEMP\\cDB3FA.tmp" (normalized: "c:\\windows\\temp\\cdb3fa.tmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x18f738, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0049.110] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\nslookup.exe", lpCommandLine="C:\\Windows\\system32\\nslookup.exe 224.0.0.22", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x14c, hStdError=0x150), lpProcessInformation=0x18f728 | out: lpCommandLine="C:\\Windows\\system32\\nslookup.exe 224.0.0.22", lpProcessInformation=0x18f728*(hProcess=0x158, hThread=0x154, dwProcessId=0xaf8, dwThreadId=0xafc)) returned 1 [0049.115] NtClose (Handle=0x154) returned 0x0 [0049.115] WaitForSingleObject (hHandle=0x158, dwMilliseconds=0xea60) returned 0x0 [0050.152] NtClose (Handle=0x14c) returned 0x0 [0050.153] NtClose (Handle=0x150) returned 0x0 [0050.153] CreateFileW (lpFileName="C:\\Windows\\TEMP\\EtcB3F9.tmp" (normalized: "c:\\windows\\temp\\etcb3f9.tmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0050.153] SetFileTime (hFile=0x150, lpCreationTime=0x0, lpLastAccessTime=0x18f684, lpLastWriteTime=0x18f684) returned 0 [0050.153] GetFileSize (in: hFile=0x150, lpFileSizeHigh=0x18f670 | out: lpFileSizeHigh=0x18f670*=0x0) returned 0x5c [0050.153] SetFilePointer (in: hFile=0x150, lDistanceToMove=0, lpDistanceToMoveHigh=0x18f67c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18f67c*=0) returned 0x0 [0050.153] ReadFile (in: hFile=0x150, lpBuffer=0x1ea13c8, nNumberOfBytesToRead=0x5c, lpNumberOfBytesRead=0x18f6b0, lpOverlapped=0x0 | out: lpBuffer=0x1ea13c8*, lpNumberOfBytesRead=0x18f6b0*=0x5c, lpOverlapped=0x0) returned 1 [0050.153] SetFileAttributesW (lpFileName="C:\\Windows\\TEMP\\EtcB3F9.tmp", dwFileAttributes=0x80) returned 1 [0050.153] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\EtcB3F9.tmp" (normalized: "c:\\windows\\temp\\etcb3f9.tmp")) returned 1 [0050.154] GetFileAttributesExW (in: lpFileName="C:\\Windows\\TEMP\\cDB3FA.tmp" (normalized: "c:\\windows\\temp\\cdb3fa.tmp"), fInfoLevelId=0x0, lpFileInformation=0x18f680 | out: lpFileInformation=0x18f680*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31962bf0, ftCreationTime.dwHighDateTime=0x1d4af0a, ftLastAccessTime.dwLowDateTime=0x31962bf0, ftLastAccessTime.dwHighDateTime=0x1d4af0a, ftLastWriteTime.dwLowDateTime=0x31962bf0, ftLastWriteTime.dwHighDateTime=0x1d4af0a, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0050.154] SetFileAttributesW (lpFileName="C:\\Windows\\TEMP\\cDB3FA.tmp", dwFileAttributes=0x80) returned 1 [0050.154] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\cDB3FA.tmp" (normalized: "c:\\windows\\temp\\cdb3fa.tmp")) returned 1 [0050.155] CryptAcquireContextW (in: phProv=0x18f638, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f638*=0x6d2158) returned 1 [0050.158] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f64c | out: pbBuffer=0x18f64c) returned 1 [0050.158] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0050.158] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0050.159] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0050.159] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0050.159] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0050.161] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0050.161] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0050.161] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0050.161] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0050.161] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0050.161] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0050.162] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0050.162] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0050.162] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0050.163] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0050.163] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0050.163] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP", lpPrefixString="UAf", uUnique=0x0, lpTempFileName=0x1ea4df8 | out: lpTempFileName="C:\\Windows\\TEMP\\UAfB81F.tmp" (normalized: "c:\\windows\\temp\\uafb81f.tmp")) returned 0xb81f [0050.163] GetShortPathNameW (in: lpszLongPath="C:\\Windows\\TEMP\\UAfB81F.tmp", lpszShortPath=0x1ea5200, cchBuffer=0x100 | out: lpszShortPath="C:\\Windows\\TEMP\\UAfB81F.tmp") returned 0x1b [0050.163] CryptAcquireContextW (in: phProv=0x18f638, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f638*=0x6d2158) returned 1 [0050.164] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f64c | out: pbBuffer=0x18f64c) returned 1 [0050.164] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0050.164] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0050.164] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0050.164] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0050.165] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP", lpPrefixString="v", uUnique=0x0, lpTempFileName=0x1ea4df8 | out: lpTempFileName="C:\\Windows\\TEMP\\vB820.tmp" (normalized: "c:\\windows\\temp\\vb820.tmp")) returned 0xb820 [0050.165] GetShortPathNameW (in: lpszLongPath="C:\\Windows\\TEMP\\vB820.tmp", lpszShortPath=0x1ea5608, cchBuffer=0x100 | out: lpszShortPath="C:\\Windows\\TEMP\\vB820.tmp") returned 0x19 [0050.165] CreateFileW (lpFileName="C:\\Windows\\TEMP\\UAfB81F.tmp" (normalized: "c:\\windows\\temp\\uafb81f.tmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x18f738, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x158 [0050.165] CreateFileW (lpFileName="C:\\Windows\\TEMP\\vB820.tmp" (normalized: "c:\\windows\\temp\\vb820.tmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x18f738, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0050.165] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\nslookup.exe", lpCommandLine="C:\\Windows\\system32\\nslookup.exe 224.0.0.252", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x158, hStdError=0x150), lpProcessInformation=0x18f728 | out: lpCommandLine="C:\\Windows\\system32\\nslookup.exe 224.0.0.252", lpProcessInformation=0x18f728*(hProcess=0x154, hThread=0x14c, dwProcessId=0xb14, dwThreadId=0xb18)) returned 1 [0050.171] NtClose (Handle=0x14c) returned 0x0 [0050.171] WaitForSingleObject (hHandle=0x154, dwMilliseconds=0xea60) returned 0x0 [0050.756] NtClose (Handle=0x158) returned 0x0 [0050.756] NtClose (Handle=0x150) returned 0x0 [0050.756] CreateFileW (lpFileName="C:\\Windows\\TEMP\\UAfB81F.tmp" (normalized: "c:\\windows\\temp\\uafb81f.tmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0050.756] SetFileTime (hFile=0x150, lpCreationTime=0x0, lpLastAccessTime=0x18f684, lpLastWriteTime=0x18f684) returned 0 [0050.756] GetFileSize (in: hFile=0x150, lpFileSizeHigh=0x18f670 | out: lpFileSizeHigh=0x18f670*=0x0) returned 0x2b [0050.757] SetFilePointer (in: hFile=0x150, lDistanceToMove=0, lpDistanceToMoveHigh=0x18f67c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18f67c*=0) returned 0x0 [0050.757] ReadFile (in: hFile=0x150, lpBuffer=0x1ea3338, nNumberOfBytesToRead=0x2b, lpNumberOfBytesRead=0x18f6b0, lpOverlapped=0x0 | out: lpBuffer=0x1ea3338*, lpNumberOfBytesRead=0x18f6b0*=0x2b, lpOverlapped=0x0) returned 1 [0050.757] SetFileAttributesW (lpFileName="C:\\Windows\\TEMP\\UAfB81F.tmp", dwFileAttributes=0x80) returned 1 [0050.757] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\UAfB81F.tmp" (normalized: "c:\\windows\\temp\\uafb81f.tmp")) returned 1 [0050.758] GetFileAttributesExW (in: lpFileName="C:\\Windows\\TEMP\\vB820.tmp" (normalized: "c:\\windows\\temp\\vb820.tmp"), fInfoLevelId=0x0, lpFileInformation=0x18f680 | out: lpFileInformation=0x18f680*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32380970, ftCreationTime.dwHighDateTime=0x1d4af0a, ftLastAccessTime.dwLowDateTime=0x32380970, ftLastAccessTime.dwHighDateTime=0x1d4af0a, ftLastWriteTime.dwLowDateTime=0x32927db0, ftLastWriteTime.dwHighDateTime=0x1d4af0a, nFileSizeHigh=0x0, nFileSizeLow=0x3a)) returned 1 [0050.758] SetFileAttributesW (lpFileName="C:\\Windows\\TEMP\\vB820.tmp", dwFileAttributes=0x80) returned 1 [0050.758] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\vB820.tmp" (normalized: "c:\\windows\\temp\\vb820.tmp")) returned 1 [0050.759] CryptAcquireContextW (in: phProv=0x18f638, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f638*=0x6d2158) returned 1 [0050.759] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f64c | out: pbBuffer=0x18f64c) returned 1 [0050.759] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0050.759] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0050.760] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0050.760] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0050.760] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP", lpPrefixString="z", uUnique=0x0, lpTempFileName=0x1ea4df8 | out: lpTempFileName="C:\\Windows\\TEMP\\zBA72.tmp" (normalized: "c:\\windows\\temp\\zba72.tmp")) returned 0xba72 [0050.760] GetShortPathNameW (in: lpszLongPath="C:\\Windows\\TEMP\\zBA72.tmp", lpszShortPath=0x1ea5200, cchBuffer=0x100 | out: lpszShortPath="C:\\Windows\\TEMP\\zBA72.tmp") returned 0x19 [0050.760] CryptAcquireContextW (in: phProv=0x18f638, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f638*=0x6d2158) returned 1 [0050.761] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f64c | out: pbBuffer=0x18f64c) returned 1 [0050.761] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0050.761] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0050.761] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0050.761] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0050.761] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0050.762] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0050.762] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0050.762] CryptAcquireContextW (in: phProv=0x18f634, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f634*=0x6d2158) returned 1 [0050.763] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f648 | out: pbBuffer=0x18f648) returned 1 [0050.763] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0050.763] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP", lpPrefixString="MP", uUnique=0x0, lpTempFileName=0x1ea4df8 | out: lpTempFileName="C:\\Windows\\TEMP\\MPBA73.tmp" (normalized: "c:\\windows\\temp\\mpba73.tmp")) returned 0xba73 [0050.763] GetShortPathNameW (in: lpszLongPath="C:\\Windows\\TEMP\\MPBA73.tmp", lpszShortPath=0x1ea5608, cchBuffer=0x100 | out: lpszShortPath="C:\\Windows\\TEMP\\MPBA73.tmp") returned 0x1a [0050.763] CreateFileW (lpFileName="C:\\Windows\\TEMP\\zBA72.tmp" (normalized: "c:\\windows\\temp\\zba72.tmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x18f738, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x154 [0050.763] CreateFileW (lpFileName="C:\\Windows\\TEMP\\MPBA73.tmp" (normalized: "c:\\windows\\temp\\mpba73.tmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x18f738, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0050.763] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\nslookup.exe", lpCommandLine="C:\\Windows\\system32\\nslookup.exe 255.255.255.255", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x154, hStdError=0x150), lpProcessInformation=0x18f728 | out: lpCommandLine="C:\\Windows\\system32\\nslookup.exe 255.255.255.255", lpProcessInformation=0x18f728*(hProcess=0x14c, hThread=0x158, dwProcessId=0xb30, dwThreadId=0xb34)) returned 1 [0050.771] NtClose (Handle=0x158) returned 0x0 [0050.771] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xea60) returned 0x0 [0051.507] NtClose (Handle=0x154) returned 0x0 [0051.507] NtClose (Handle=0x150) returned 0x0 [0051.508] CreateFileW (lpFileName="C:\\Windows\\TEMP\\zBA72.tmp" (normalized: "c:\\windows\\temp\\zba72.tmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0051.508] SetFileTime (hFile=0x150, lpCreationTime=0x0, lpLastAccessTime=0x18f684, lpLastWriteTime=0x18f684) returned 0 [0051.508] GetFileSize (in: hFile=0x150, lpFileSizeHigh=0x18f670 | out: lpFileSizeHigh=0x18f670*=0x0) returned 0x113 [0051.508] SetFilePointer (in: hFile=0x150, lDistanceToMove=0, lpDistanceToMoveHigh=0x18f67c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18f67c*=0) returned 0x0 [0051.508] ReadFile (in: hFile=0x150, lpBuffer=0x1ea36e8, nNumberOfBytesToRead=0x113, lpNumberOfBytesRead=0x18f6b0, lpOverlapped=0x0 | out: lpBuffer=0x1ea36e8*, lpNumberOfBytesRead=0x18f6b0*=0x113, lpOverlapped=0x0) returned 1 [0051.508] SetFileAttributesW (lpFileName="C:\\Windows\\TEMP\\zBA72.tmp", dwFileAttributes=0x80) returned 1 [0051.509] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\zBA72.tmp" (normalized: "c:\\windows\\temp\\zba72.tmp")) returned 1 [0051.509] GetFileAttributesExW (in: lpFileName="C:\\Windows\\TEMP\\MPBA73.tmp" (normalized: "c:\\windows\\temp\\mpba73.tmp"), fInfoLevelId=0x0, lpFileInformation=0x18f680 | out: lpFileInformation=0x18f680*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32927db0, ftCreationTime.dwHighDateTime=0x1d4af0a, ftLastAccessTime.dwLowDateTime=0x32927db0, ftLastAccessTime.dwHighDateTime=0x1d4af0a, ftLastWriteTime.dwLowDateTime=0x3304bfb0, ftLastWriteTime.dwHighDateTime=0x1d4af0a, nFileSizeHigh=0x0, nFileSizeLow=0x67)) returned 1 [0051.509] SetFileAttributesW (lpFileName="C:\\Windows\\TEMP\\MPBA73.tmp", dwFileAttributes=0x80) returned 1 [0051.509] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\MPBA73.tmp" (normalized: "c:\\windows\\temp\\mpba73.tmp")) returned 1 [0051.510] CryptAcquireContextW (in: phProv=0x18f608, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f608*=0x6d2158) returned 1 [0051.511] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f61c | out: pbBuffer=0x18f61c) returned 1 [0051.511] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0051.511] CryptAcquireContextW (in: phProv=0x18f604, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f604*=0x6d2158) returned 1 [0051.511] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f618 | out: pbBuffer=0x18f618) returned 1 [0051.511] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0051.511] CryptAcquireContextW (in: phProv=0x18f604, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f604*=0x6d2158) returned 1 [0051.512] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f618 | out: pbBuffer=0x18f618) returned 1 [0051.512] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0051.512] CryptAcquireContextW (in: phProv=0x18f604, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f604*=0x6d2158) returned 1 [0051.512] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f618 | out: pbBuffer=0x18f618) returned 1 [0051.512] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0051.512] CryptAcquireContextW (in: phProv=0x18f604, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f604*=0x6d2158) returned 1 [0051.513] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f618 | out: pbBuffer=0x18f618) returned 1 [0051.513] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0051.513] CryptAcquireContextW (in: phProv=0x18f604, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f604*=0x6d2158) returned 1 [0051.513] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f618 | out: pbBuffer=0x18f618) returned 1 [0051.513] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0051.513] CryptAcquireContextW (in: phProv=0x18f604, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f604*=0x6d2158) returned 1 [0051.514] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f618 | out: pbBuffer=0x18f618) returned 1 [0051.514] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0051.514] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP", lpPrefixString="3c", uUnique=0x0, lpTempFileName=0x1ea4df8 | out: lpTempFileName="C:\\Windows\\TEMP\\3cBD61.tmp" (normalized: "c:\\windows\\temp\\3cbd61.tmp")) returned 0xbd61 [0051.514] GetShortPathNameW (in: lpszLongPath="C:\\Windows\\TEMP\\3cBD61.tmp", lpszShortPath=0x1ea5200, cchBuffer=0x100 | out: lpszShortPath="C:\\Windows\\TEMP\\3cBD61.tmp") returned 0x1a [0051.514] CryptAcquireContextW (in: phProv=0x18f608, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f608*=0x6d2158) returned 1 [0051.515] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f61c | out: pbBuffer=0x18f61c) returned 1 [0051.515] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0051.515] CryptAcquireContextW (in: phProv=0x18f604, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f604*=0x6d2158) returned 1 [0051.516] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f618 | out: pbBuffer=0x18f618) returned 1 [0051.516] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0051.516] CryptAcquireContextW (in: phProv=0x18f604, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f604*=0x6d2158) returned 1 [0051.516] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f618 | out: pbBuffer=0x18f618) returned 1 [0051.516] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0051.516] CryptAcquireContextW (in: phProv=0x18f604, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f604*=0x6d2158) returned 1 [0051.517] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f618 | out: pbBuffer=0x18f618) returned 1 [0051.517] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0051.517] CryptAcquireContextW (in: phProv=0x18f604, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f604*=0x6d2158) returned 1 [0051.517] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f618 | out: pbBuffer=0x18f618) returned 1 [0051.517] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0051.517] CryptAcquireContextW (in: phProv=0x18f604, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f604*=0x6d2158) returned 1 [0051.518] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f618 | out: pbBuffer=0x18f618) returned 1 [0051.518] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0051.518] CryptAcquireContextW (in: phProv=0x18f604, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f604*=0x6d2158) returned 1 [0051.518] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f618 | out: pbBuffer=0x18f618) returned 1 [0051.518] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0051.518] CryptAcquireContextW (in: phProv=0x18f604, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f604*=0x6d2158) returned 1 [0051.519] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f618 | out: pbBuffer=0x18f618) returned 1 [0051.519] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0051.519] CryptAcquireContextW (in: phProv=0x18f604, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x18f604*=0x6d2158) returned 1 [0051.520] CryptGenRandom (in: hProv=0x6d2158, dwLen=0x4, pbBuffer=0x18f618 | out: pbBuffer=0x18f618) returned 1 [0051.520] CryptReleaseContext (hProv=0x6d2158, dwFlags=0x0) returned 1 [0051.520] GetTempFileNameW (in: lpPathName="C:\\Windows\\TEMP", lpPrefixString="2Rz", uUnique=0x0, lpTempFileName=0x1ea4df8 | out: lpTempFileName="C:\\Windows\\TEMP\\2RzBD72.tmp" (normalized: "c:\\windows\\temp\\2rzbd72.tmp")) returned 0xbd72 [0051.520] GetShortPathNameW (in: lpszLongPath="C:\\Windows\\TEMP\\2RzBD72.tmp", lpszShortPath=0x1ea5608, cchBuffer=0x100 | out: lpszShortPath="C:\\Windows\\TEMP\\2RzBD72.tmp") returned 0x1b [0051.520] CreateFileW (lpFileName="C:\\Windows\\TEMP\\3cBD61.tmp" (normalized: "c:\\windows\\temp\\3cbd61.tmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x18f708, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0051.520] CreateFileW (lpFileName="C:\\Windows\\TEMP\\2RzBD72.tmp" (normalized: "c:\\windows\\temp\\2rzbd72.tmp"), dwDesiredAccess=0x4, dwShareMode=0x3, lpSecurityAttributes=0x18f708, dwCreationDisposition=0x4, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0051.520] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="C:\\Windows\\system32\\net.exe view igmp.mcast.net", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f690*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x14c, hStdError=0x150), lpProcessInformation=0x18f6f8 | out: lpCommandLine="C:\\Windows\\system32\\net.exe view igmp.mcast.net", lpProcessInformation=0x18f6f8*(hProcess=0x158, hThread=0x154, dwProcessId=0xb4c, dwThreadId=0xb50)) returned 1 [0051.585] NtClose (Handle=0x154) returned 0x0 [0051.585] WaitForSingleObject (hHandle=0x158, dwMilliseconds=0xea60) returned 0x0 [0083.081] NtClose (Handle=0x14c) returned 0x0 [0083.081] NtClose (Handle=0x150) returned 0x0 [0083.081] CreateFileW (lpFileName="C:\\Windows\\TEMP\\3cBD61.tmp" (normalized: "c:\\windows\\temp\\3cbd61.tmp"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0083.082] SetFileTime (hFile=0x150, lpCreationTime=0x0, lpLastAccessTime=0x18f654, lpLastWriteTime=0x18f654) returned 0 [0083.082] GetFileSize (in: hFile=0x150, lpFileSizeHigh=0x18f640 | out: lpFileSizeHigh=0x18f640*=0x0) returned 0x0 [0083.082] SetFilePointer (in: hFile=0x150, lDistanceToMove=0, lpDistanceToMoveHigh=0x18f64c*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x18f64c*=0) returned 0x0 [0083.082] ReadFile (in: hFile=0x150, lpBuffer=0x1ea3410, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x18f680, lpOverlapped=0x0 | out: lpBuffer=0x1ea3410*, lpNumberOfBytesRead=0x18f680*=0x0, lpOverlapped=0x0) returned 1 [0083.082] SetFileAttributesW (lpFileName="C:\\Windows\\TEMP\\3cBD61.tmp", dwFileAttributes=0x80) returned 1 [0083.082] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\3cBD61.tmp" (normalized: "c:\\windows\\temp\\3cbd61.tmp")) returned 1 [0083.082] GetFileAttributesExW (in: lpFileName="C:\\Windows\\TEMP\\2RzBD72.tmp" (normalized: "c:\\windows\\temp\\2rzbd72.tmp"), fInfoLevelId=0x0, lpFileInformation=0x18f650 | out: lpFileInformation=0x18f650*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33072110, ftCreationTime.dwHighDateTime=0x1d4af0a, ftLastAccessTime.dwLowDateTime=0x33072110, ftLastAccessTime.dwHighDateTime=0x1d4af0a, ftLastWriteTime.dwLowDateTime=0x45a4a1d0, ftLastWriteTime.dwHighDateTime=0x1d4af0a, nFileSizeHigh=0x0, nFileSizeLow=0x44)) returned 1 [0083.082] SetFileAttributesW (lpFileName="C:\\Windows\\TEMP\\2RzBD72.tmp", dwFileAttributes=0x80) returned 1 [0083.082] DeleteFileW (lpFileName="C:\\Windows\\TEMP\\2RzBD72.tmp" (normalized: "c:\\windows\\temp\\2rzbd72.tmp")) returned 1 [0083.083] DeleteFileW (lpFileName="C:\\Users\\5P5NRG~1\\AppData\\Roaming\\8DAT2H~1" (normalized: "c:\\users\\5p5nrg~1\\appdata\\roaming\\8dat2h~1")) returned 1 [0083.084] Wow64RevertWow64FsRedirection (OlValue=0x0) returned 1 [0083.084] ExitProcess (uExitCode=0x0) Thread: id = 303 os_tid = 0x9fc Thread: id = 317 os_tid = 0xaa0 Thread: id = 383 os_tid = 0x5b8 Thread: id = 384 os_tid = 0x5ec Process: id = "20" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4e091000" os_pid = "0x9d4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x1d4" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:00048478" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2031 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2032 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2033 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2034 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2035 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2036 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2037 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2038 start_va = 0xfff20000 end_va = 0xfff2afff entry_point = 0xfff20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2039 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2040 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2041 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 2042 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 2043 start_va = 0x2e0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 2044 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2045 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2046 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2047 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2048 start_va = 0x1a0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 2049 start_va = 0x3e0000 end_va = 0x4dffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 2050 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2051 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2052 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2053 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2054 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2055 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2056 start_va = 0xc0000 end_va = 0x17ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2057 start_va = 0x180000 end_va = 0x181fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 2058 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 2059 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 2060 start_va = 0x260000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 2061 start_va = 0x5b0000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 2062 start_va = 0x700000 end_va = 0x77ffff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 2063 start_va = 0x780000 end_va = 0xa4efff entry_point = 0x780000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2064 start_va = 0xa50000 end_va = 0xbd7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 2065 start_va = 0xbe0000 end_va = 0xd60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000be0000" filename = "" Region: id = 2066 start_va = 0xd70000 end_va = 0x1162fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d70000" filename = "" Region: id = 2067 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2068 start_va = 0x7fef4490000 end_va = 0x7fef4511fff entry_point = 0x7fef4490000 region_type = mapped_file name = "swprv.dll" filename = "\\Windows\\System32\\swprv.dll" (normalized: "c:\\windows\\system32\\swprv.dll") Region: id = 2069 start_va = 0x7fef7e80000 end_va = 0x7fef7e96fff entry_point = 0x7fef7e80000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 2070 start_va = 0x7fef9060000 end_va = 0x7fef9068fff entry_point = 0x7fef9060000 region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 2071 start_va = 0x7fef9070000 end_va = 0x7fef9079fff entry_point = 0x7fef9070000 region_type = mapped_file name = "virtdisk.dll" filename = "\\Windows\\System32\\virtdisk.dll" (normalized: "c:\\windows\\system32\\virtdisk.dll") Region: id = 2072 start_va = 0x7fefb260000 end_va = 0x7fefb278fff entry_point = 0x7fefb260000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 2073 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2074 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2075 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2076 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2077 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2078 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2079 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2080 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2081 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 2111 start_va = 0x240000 end_va = 0x240fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 2112 start_va = 0x650000 end_va = 0x6cffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 2113 start_va = 0x1170000 end_va = 0x11effff entry_point = 0x0 region_type = private name = "private_0x0000000001170000" filename = "" Region: id = 2114 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2115 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2116 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2117 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2118 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2119 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2120 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2121 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2122 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2123 start_va = 0x7fef7ea0000 end_va = 0x7fef804ffff entry_point = 0x7fef7ea0000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 2124 start_va = 0x7fef9000000 end_va = 0x7fef9013fff entry_point = 0x7fef9000000 region_type = mapped_file name = "vss_ps.dll" filename = "\\Windows\\System32\\vss_ps.dll" (normalized: "c:\\windows\\system32\\vss_ps.dll") Thread: id = 294 os_tid = 0x9d8 Thread: id = 296 os_tid = 0x9e0 Thread: id = 297 os_tid = 0x9e4 Thread: id = 298 os_tid = 0x9e8 Thread: id = 299 os_tid = 0x9ec Thread: id = 301 os_tid = 0x9f4 Thread: id = 437 os_tid = 0x894 Process: id = "21" image_name = "arp.exe" filename = "c:\\windows\\system32\\arp.exe" page_root = "0x444ce000" os_pid = "0xaa8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x9cc" cmd_line = "C:\\Windows\\system32\\arp.exe -a" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e814" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2480 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2481 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2482 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2483 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2484 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2485 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2486 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2487 start_va = 0x7fff0000 end_va = 0x7fff0fff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2488 start_va = 0xff310000 end_va = 0xff319fff entry_point = 0xff310000 region_type = mapped_file name = "arp.exe" filename = "\\Windows\\System32\\ARP.EXE" (normalized: "c:\\windows\\system32\\arp.exe") Region: id = 2489 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2490 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2491 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2492 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2493 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 2494 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2495 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2496 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2497 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2498 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2499 start_va = 0x170000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2500 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 2501 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2502 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2503 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2504 start_va = 0x7fef9020000 end_va = 0x7fef902afff entry_point = 0x7fef9020000 region_type = mapped_file name = "snmpapi.dll" filename = "\\Windows\\System32\\snmpapi.dll" (normalized: "c:\\windows\\system32\\snmpapi.dll") Region: id = 2505 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2506 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2507 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2508 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2509 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2510 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2511 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2512 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2513 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2514 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2515 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2516 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2517 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2518 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0xe0000 region_type = mapped_file name = "arp.exe.mui" filename = "\\Windows\\System32\\en-US\\arp.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\arp.exe.mui") Region: id = 2519 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2520 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 2521 start_va = 0x510000 end_va = 0x697fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 2522 start_va = 0x6a0000 end_va = 0x820fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 2523 start_va = 0x830000 end_va = 0x1c2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 2524 start_va = 0x1c30000 end_va = 0x1efefff entry_point = 0x1c30000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2525 start_va = 0x7fef4bf0000 end_va = 0x7fef4c03fff entry_point = 0x7fef4bf0000 region_type = mapped_file name = "inetmib1.dll" filename = "\\Windows\\System32\\inetmib1.dll" (normalized: "c:\\windows\\system32\\inetmib1.dll") Region: id = 2526 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2527 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2528 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2529 start_va = 0x7fefaf10000 end_va = 0x7fefaf20fff entry_point = 0x7fefaf10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2530 start_va = 0x2080000 end_va = 0x20fffff entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 2531 start_va = 0x7fefaef0000 end_va = 0x7fefaf07fff entry_point = 0x7fefaef0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2532 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 319 os_tid = 0xaac Thread: id = 321 os_tid = 0xac0 Process: id = "22" image_name = "nslookup.exe" filename = "c:\\windows\\system32\\nslookup.exe" page_root = "0x43bd4000" os_pid = "0xac8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x9cc" cmd_line = "C:\\Windows\\system32\\nslookup.exe 192.168.0.1" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e814" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2533 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2534 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2535 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2536 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2537 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2538 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2539 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2540 start_va = 0x7fff9000 end_va = 0x7fff9fff entry_point = 0x0 region_type = private name = "private_0x000000007fff9000" filename = "" Region: id = 2541 start_va = 0xff230000 end_va = 0xff256fff entry_point = 0xff230000 region_type = mapped_file name = "nslookup.exe" filename = "\\Windows\\System32\\nslookup.exe" (normalized: "c:\\windows\\system32\\nslookup.exe") Region: id = 2542 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2543 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2544 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2545 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2546 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2547 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2548 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2549 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2550 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2551 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2552 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2553 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2554 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2555 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2556 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2557 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2558 start_va = 0x7fef9020000 end_va = 0x7fef9028fff entry_point = 0x7fef9020000 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\System32\\wsock32.dll" (normalized: "c:\\windows\\system32\\wsock32.dll") Region: id = 2559 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2560 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2561 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2562 start_va = 0x7fefd040000 end_va = 0x7fefd094fff entry_point = 0x7fefd040000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2563 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2564 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2565 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2566 start_va = 0x7fefcec0000 end_va = 0x7fefcf1afff entry_point = 0x7fefcec0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2567 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2568 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2569 start_va = 0xe0000 end_va = 0xe4fff entry_point = 0xe0000 region_type = mapped_file name = "nslookup.exe.mui" filename = "\\Windows\\System32\\en-US\\nslookup.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\nslookup.exe.mui") Region: id = 2570 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2571 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 2572 start_va = 0x2d0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 2573 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 2574 start_va = 0x460000 end_va = 0x5e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 2575 start_va = 0x5f0000 end_va = 0x770fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 2576 start_va = 0x780000 end_va = 0x1b7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 2577 start_va = 0x1cd0000 end_va = 0x1d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 2578 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2579 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2580 start_va = 0x1d50000 end_va = 0x201efff entry_point = 0x1d50000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2581 start_va = 0x7fefca40000 end_va = 0x7fefca46fff entry_point = 0x7fefca40000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 2582 start_va = 0x7fefb300000 end_va = 0x7fefb314fff entry_point = 0x7fefb300000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 2583 start_va = 0x1b80000 end_va = 0x1c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b80000" filename = "" Region: id = 2584 start_va = 0x1b80000 end_va = 0x1c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b80000" filename = "" Region: id = 2585 start_va = 0x1c70000 end_va = 0x1c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c70000" filename = "" Region: id = 2586 start_va = 0x7fefb9b0000 end_va = 0x7fefb9c4fff entry_point = 0x7fefb9b0000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 2587 start_va = 0x20d0000 end_va = 0x214ffff entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 2588 start_va = 0x7fefb990000 end_va = 0x7fefb9a8fff entry_point = 0x7fefb990000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 2589 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2590 start_va = 0x7fefba30000 end_va = 0x7fefba3afff entry_point = 0x7fefba30000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 2591 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2592 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2593 start_va = 0x7fefaf10000 end_va = 0x7fefaf20fff entry_point = 0x7fefaf10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2594 start_va = 0x7fefaef0000 end_va = 0x7fefaf07fff entry_point = 0x7fefaef0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Thread: id = 323 os_tid = 0xacc [0048.654] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16f910 | out: lpSystemTimeAsFileTime=0x16f910*(dwLowDateTime=0x31512410, dwHighDateTime=0x1d4af0a)) [0048.654] GetCurrentProcessId () returned 0xac8 [0048.654] GetCurrentThreadId () returned 0xacc [0048.654] GetTickCount () returned 0x1b22e [0048.654] QueryPerformanceCounter (in: lpPerformanceCount=0x16f918 | out: lpPerformanceCount=0x16f918*=1816555500000) returned 1 [0048.656] GetModuleHandleW (lpModuleName=0x0) returned 0xff230000 [0048.656] __set_app_type (_Type=0x1) [0048.656] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff2409f8) returned 0x0 [0048.656] __getmainargs (in: _Argc=0xff24aa00, _Argv=0xff24aa10, _Env=0xff24aa08, _DoWildCard=0, _StartInfo=0xff24aa1c | out: _Argc=0xff24aa00, _Argv=0xff24aa10, _Env=0xff24aa08) returned 0 [0048.656] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0048.656] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0048.657] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0xff252e80 | out: lpWSAData=0xff252e80) returned 0 [0048.667] socket (af=2, type=2, protocol=0) returned 0x6c [0048.668] closesocket (s=0x6c) returned 0 [0048.669] RtlIpv4StringToAddressA () returned 0x0 [0048.669] RtlInitAnsiString (in: DestinationString=0x16f770, SourceString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" | out: DestinationString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters") [0048.669] RtlAnsiStringToUnicodeString (in: DestinationString=0x16f760, SourceString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", AllocateDestinationString=1 | out: DestinationString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters") returned 0x0 [0048.669] NtOpenKey (in: KeyHandle=0x16f838, DesiredAccess=0x20019, ObjectAttributes=0x16f780*(Length=0x30, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: KeyHandle=0x16f838*=0x6c) returned 0x0 [0048.669] RtlFreeAnsiString (AnsiString="\\") [0048.669] RtlAnsiStringToUnicodeString (in: DestinationString=0x16f748, SourceString="DNSLookupOrder", AllocateDestinationString=0 | out: DestinationString="DNSLookupOrder") returned 0x0 [0048.669] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="DNSLookupOrder", KeyValueInformationClass=0x1, KeyValueInformation=0x1f3980, Length=0x400, ResultLength=0x16f740 | out: KeyValueInformation=0x1f3980, ResultLength=0x16f740) returned 0xc0000034 [0048.669] RtlAnsiStringToUnicodeString (in: DestinationString=0x16f748, SourceString="Domain", AllocateDestinationString=0 | out: DestinationString="Domain") returned 0x0 [0048.669] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="Domain", KeyValueInformationClass=0x1, KeyValueInformation=0x1f3980, Length=0x400, ResultLength=0x16f740 | out: KeyValueInformation=0x1f3980*(TitleIndex=0x0, Type=0x1, DataOffset=0x20, DataLength=0x2, NameLength=0xc, Name="Domain", Data=""), ResultLength=0x16f740) returned 0x0 [0048.669] RtlUnicodeStringToAnsiString (in: DestinationString=0x16f758, SourceString="", AllocateDestinationString=0 | out: DestinationString="") returned 0x0 [0048.669] RtlAnsiStringToUnicodeString (in: DestinationString=0x16f748, SourceString="DhcpDomain", AllocateDestinationString=0 | out: DestinationString="DhcpDomain") returned 0x0 [0048.669] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="DhcpDomain", KeyValueInformationClass=0x1, KeyValueInformation=0x1f3980, Length=0x400, ResultLength=0x16f740 | out: KeyValueInformation=0x1f3980, ResultLength=0x16f740) returned 0xc0000034 [0048.669] RtlInitAnsiString (in: DestinationString=0x16f770, SourceString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient" | out: DestinationString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient") [0048.670] RtlAnsiStringToUnicodeString (in: DestinationString=0x16f760, SourceString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient", AllocateDestinationString=1 | out: DestinationString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient") returned 0x0 [0048.670] NtOpenKey (in: KeyHandle=0x16f840, DesiredAccess=0x20019, ObjectAttributes=0x16f780*(Length=0x30, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: KeyHandle=0x16f840*=0x0) returned 0xc0000034 [0048.670] RtlFreeAnsiString (AnsiString="\\") [0048.670] RtlAnsiStringToUnicodeString (in: DestinationString=0x16f748, SourceString="SearchList", AllocateDestinationString=0 | out: DestinationString="SearchList") returned 0x0 [0048.670] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="SearchList", KeyValueInformationClass=0x1, KeyValueInformation=0x1f3980, Length=0x400, ResultLength=0x16f740 | out: KeyValueInformation=0x1f3980*(TitleIndex=0x0, Type=0x1, DataOffset=0x28, DataLength=0x2, NameLength=0x14, Name="SearchList", Data=""), ResultLength=0x16f740) returned 0x0 [0048.670] RtlUnicodeStringToAnsiString (in: DestinationString=0x16f758, SourceString="", AllocateDestinationString=0 | out: DestinationString="") returned 0x0 [0048.670] RtlAnsiStringToUnicodeString (in: DestinationString=0x16f748, SourceString="DhcpSearchList", AllocateDestinationString=0 | out: DestinationString="DhcpSearchList") returned 0x0 [0048.670] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="DhcpSearchList", KeyValueInformationClass=0x1, KeyValueInformation=0x1f3980, Length=0x400, ResultLength=0x16f740 | out: KeyValueInformation=0x1f3980, ResultLength=0x16f740) returned 0xc0000034 [0048.670] gethostname (in: name=0x455ed0, namelen=12800 | out: name="XDuwTfOno") returned 0 [0048.683] getenv (_VarName="HOME") returned 0x0 [0048.683] DnsQueryConfigAllocEx () returned 0x1cd1620 [0048.713] _vsnprintf (in: _DstBuf=0x16f6f0, _MaxCount=0x1e, _Format="%u.%u.%u.%u.in-addr.arpa.", _ArgList=0x15f668 | out: _DstBuf="1.0.168.192.in-addr.arpa.") returned 25 [0048.713] htons (hostshort=0x1) returned 0x100 [0048.713] htons (hostshort=0x1) returned 0x100 [0048.714] socket (af=2, type=2, protocol=0) returned 0x110 [0048.714] connect (s=0x110, name=0x1cd1640*(sa_family=2, sin_port=0x35, sin_addr="192.168.0.1"), namelen=16) returned 0 [0048.714] send (in: s=0x110, buf=0x15f6f0*, len=42, flags=0 | out: buf=0x15f6f0*) returned 42 [0048.715] select (in: nfds=272, readfds=0x14f160, writefds=0x0, exceptfds=0x0, timeout=0x14f138 | out: readfds=0x14f160, writefds=0x0, exceptfds=0x0) returned 1 [0048.715] recv (in: s=0x110, buf=0x14f650, len=65536, flags=0 | out: buf=0x14f650*) returned 101 [0048.715] closesocket (s=0x110) returned 0 [0048.722] RtlIpv4AddressToStringExA () returned 0xc000000d [0048.723] DnsFreeConfigStructure () returned 0x3819cd01 [0048.723] strcpy_s (in: _Dst=0x2ddf80, _DstSize=0xc, _Src="UnKnown" | out: _Dst="UnKnown") returned 0x0 [0048.723] LocalAlloc (uFlags=0x40, uBytes=0x60) returned 0x1faba0 [0048.723] strcpy_s (in: _Dst=0xff253020, _DstSize=0x100, _Src="UnKnown" | out: _Dst="UnKnown") returned 0x0 [0048.723] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x35, dwLanguageId=0x0, lpBuffer=0x16f5a8, nSize=0x0, Arguments=0x16f5a0 | out: lpBuffer="`\x9c ") returned 0x7 [0048.724] fprintf (in: _File=0x7feffb12ab0, _Format="%-7s %s" | out: _File=0x7feffb12ab0) returned 16 [0048.724] fprintf (in: _File=0x7feffb12ab0, _Format="\nAddress:" | out: _File=0x7feffb12ab0) returned 9 [0048.724] inet_ntoa (in=0x100a8c0) returned="192.168.0.1" [0048.724] fprintf (in: _File=0x7feffb12ab0, _Format="%c %s" | out: _File=0x7feffb12ab0) returned 13 [0048.724] fprintf (in: _File=0x7feffb12ab0, _Format="\n\n" | out: _File=0x7feffb12ab0) returned 2 [0048.724] RtlIpv4StringToAddressA () returned 0x0 [0048.724] _vsnprintf (in: _DstBuf=0x16f410, _MaxCount=0x1e, _Format="%u.%u.%u.%u.in-addr.arpa.", _ArgList=0x15f388 | out: _DstBuf="1.0.168.192.in-addr.arpa.") returned 25 [0048.724] htons (hostshort=0x2) returned 0x200 [0048.724] htons (hostshort=0x1) returned 0x100 [0048.724] socket (af=2, type=2, protocol=0) returned 0x110 [0048.724] connect (s=0x110, name=0x1fabc0*(sa_family=2, sin_port=0x35, sin_addr="192.168.0.1"), namelen=16) returned 0 [0048.724] send (in: s=0x110, buf=0x15f410*, len=42, flags=0 | out: buf=0x15f410*) returned 42 [0048.725] select (in: nfds=272, readfds=0x14ee80, writefds=0x0, exceptfds=0x0, timeout=0x14ee58 | out: readfds=0x14ee80, writefds=0x0, exceptfds=0x0) returned 1 [0048.725] recv (in: s=0x110, buf=0x14f370, len=65536, flags=0 | out: buf=0x14f370*) returned 42 [0048.725] closesocket (s=0x110) returned 0 [0048.725] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x34, dwLanguageId=0x400, lpBuffer=0x16f520, nSize=0x0, Arguments=0x16f528 | out: lpBuffer="\xf0\x8f\x1e") returned 0x39 [0048.725] CharToOemBuffA (in: lpszSrc="*** UnKnown can't find 192.168.0.1: Non-existent domain\r\n", lpszDst=0x1e8ff0, cchDstLength=0x39 | out: lpszDst="*** UnKnown can't find 192.168.0.1: Non-existent domain\r\n") returned 1 [0048.725] _write (in: _FileHandle=2, _Buf=0x1e8ff0*, _MaxCharCount=0x39 | out: _Buf=0x1e8ff0*) returned 57 [0048.726] LocalFree (hMem=0x1e8ff0) returned 0x0 [0048.726] LocalFree (hMem=0x1faba0) returned 0x0 [0048.726] exit (_Code=0) Thread: id = 325 os_tid = 0xadc Process: id = "23" image_name = "nslookup.exe" filename = "c:\\windows\\system32\\nslookup.exe" page_root = "0x43cd9000" os_pid = "0xae0" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x9cc" cmd_line = "C:\\Windows\\system32\\nslookup.exe 192.168.0.255" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e814" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2595 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2596 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2597 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2598 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 2599 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2600 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2601 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2602 start_va = 0x7ffff000 end_va = 0x7fffffff entry_point = 0x0 region_type = private name = "private_0x000000007ffff000" filename = "" Region: id = 2603 start_va = 0xff0b0000 end_va = 0xff0d6fff entry_point = 0xff0b0000 region_type = mapped_file name = "nslookup.exe" filename = "\\Windows\\System32\\nslookup.exe" (normalized: "c:\\windows\\system32\\nslookup.exe") Region: id = 2604 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2605 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2606 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2607 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2608 start_va = 0x3d0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 2609 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2610 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2611 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2612 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2613 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2614 start_va = 0xc0000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2615 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 2616 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2617 start_va = 0x1e0000 end_va = 0x1e4fff entry_point = 0x1e0000 region_type = mapped_file name = "nslookup.exe.mui" filename = "\\Windows\\System32\\en-US\\nslookup.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\nslookup.exe.mui") Region: id = 2618 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2619 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2620 start_va = 0x4d0000 end_va = 0x657fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 2621 start_va = 0x6c0000 end_va = 0x6cffff entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 2622 start_va = 0x6d0000 end_va = 0x850fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 2623 start_va = 0x860000 end_va = 0x1c5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 2624 start_va = 0x1dc0000 end_va = 0x1e3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001dc0000" filename = "" Region: id = 2625 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2626 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2627 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2628 start_va = 0x7fef4c00000 end_va = 0x7fef4c08fff entry_point = 0x7fef4c00000 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\System32\\wsock32.dll" (normalized: "c:\\windows\\system32\\wsock32.dll") Region: id = 2629 start_va = 0x7fefcec0000 end_va = 0x7fefcf1afff entry_point = 0x7fefcec0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2630 start_va = 0x7fefd040000 end_va = 0x7fefd094fff entry_point = 0x7fefd040000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2631 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2632 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2633 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2634 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2635 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2636 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2637 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2638 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2639 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2640 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2641 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2642 start_va = 0x1e40000 end_va = 0x210efff entry_point = 0x1e40000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2643 start_va = 0x7fefca40000 end_va = 0x7fefca46fff entry_point = 0x7fefca40000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 2644 start_va = 0x7fefb300000 end_va = 0x7fefb314fff entry_point = 0x7fefb300000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 2645 start_va = 0x2110000 end_va = 0x230ffff entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 2646 start_va = 0x290000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 2647 start_va = 0x7fefb9b0000 end_va = 0x7fefb9c4fff entry_point = 0x7fefb9b0000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 2648 start_va = 0x1ce0000 end_va = 0x1d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ce0000" filename = "" Region: id = 2649 start_va = 0x7fefb990000 end_va = 0x7fefb9a8fff entry_point = 0x7fefb990000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 2650 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2651 start_va = 0x7fefba30000 end_va = 0x7fefba3afff entry_point = 0x7fefba30000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 2652 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2653 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2654 start_va = 0x7fefaf10000 end_va = 0x7fefaf20fff entry_point = 0x7fefaf10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2655 start_va = 0x7fefaef0000 end_va = 0x7fefaf07fff entry_point = 0x7fefaef0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Thread: id = 326 os_tid = 0xae4 [0048.928] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fbf0 | out: lpSystemTimeAsFileTime=0x28fbf0*(dwLowDateTime=0x31799b70, dwHighDateTime=0x1d4af0a)) [0048.928] GetCurrentProcessId () returned 0xae0 [0048.928] GetCurrentThreadId () returned 0xae4 [0048.928] GetTickCount () returned 0x1b337 [0048.928] QueryPerformanceCounter (in: lpPerformanceCount=0x28fbf8 | out: lpPerformanceCount=0x28fbf8*=1816582900000) returned 1 [0048.930] GetModuleHandleW (lpModuleName=0x0) returned 0xff0b0000 [0048.930] __set_app_type (_Type=0x1) [0048.930] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff0c09f8) returned 0x0 [0048.930] __getmainargs (in: _Argc=0xff0caa00, _Argv=0xff0caa10, _Env=0xff0caa08, _DoWildCard=0, _StartInfo=0xff0caa1c | out: _Argc=0xff0caa00, _Argv=0xff0caa10, _Env=0xff0caa08) returned 0 [0048.930] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0048.930] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0048.931] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0xff0d2e80 | out: lpWSAData=0xff0d2e80) returned 0 [0048.935] socket (af=2, type=2, protocol=0) returned 0x6c [0048.937] closesocket (s=0x6c) returned 0 [0048.937] RtlIpv4StringToAddressA () returned 0x0 [0048.937] RtlInitAnsiString (in: DestinationString=0x28fa50, SourceString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" | out: DestinationString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters") [0048.937] RtlAnsiStringToUnicodeString (in: DestinationString=0x28fa40, SourceString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", AllocateDestinationString=1 | out: DestinationString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters") returned 0x0 [0048.937] NtOpenKey (in: KeyHandle=0x28fb18, DesiredAccess=0x20019, ObjectAttributes=0x28fa60*(Length=0x30, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: KeyHandle=0x28fb18*=0x6c) returned 0x0 [0048.937] RtlFreeAnsiString (AnsiString="\\") [0048.938] RtlAnsiStringToUnicodeString (in: DestinationString=0x28fa28, SourceString="DNSLookupOrder", AllocateDestinationString=0 | out: DestinationString="DNSLookupOrder") returned 0x0 [0048.938] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="DNSLookupOrder", KeyValueInformationClass=0x1, KeyValueInformation=0x3f3980, Length=0x400, ResultLength=0x28fa20 | out: KeyValueInformation=0x3f3980, ResultLength=0x28fa20) returned 0xc0000034 [0048.938] RtlAnsiStringToUnicodeString (in: DestinationString=0x28fa28, SourceString="Domain", AllocateDestinationString=0 | out: DestinationString="Domain") returned 0x0 [0048.938] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="Domain", KeyValueInformationClass=0x1, KeyValueInformation=0x3f3980, Length=0x400, ResultLength=0x28fa20 | out: KeyValueInformation=0x3f3980*(TitleIndex=0x0, Type=0x1, DataOffset=0x20, DataLength=0x2, NameLength=0xc, Name="Domain", Data=""), ResultLength=0x28fa20) returned 0x0 [0048.938] RtlUnicodeStringToAnsiString (in: DestinationString=0x28fa38, SourceString="", AllocateDestinationString=0 | out: DestinationString="") returned 0x0 [0048.938] RtlAnsiStringToUnicodeString (in: DestinationString=0x28fa28, SourceString="DhcpDomain", AllocateDestinationString=0 | out: DestinationString="DhcpDomain") returned 0x0 [0048.938] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="DhcpDomain", KeyValueInformationClass=0x1, KeyValueInformation=0x3f3980, Length=0x400, ResultLength=0x28fa20 | out: KeyValueInformation=0x3f3980, ResultLength=0x28fa20) returned 0xc0000034 [0048.938] RtlInitAnsiString (in: DestinationString=0x28fa50, SourceString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient" | out: DestinationString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient") [0048.938] RtlAnsiStringToUnicodeString (in: DestinationString=0x28fa40, SourceString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient", AllocateDestinationString=1 | out: DestinationString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient") returned 0x0 [0048.938] NtOpenKey (in: KeyHandle=0x28fb20, DesiredAccess=0x20019, ObjectAttributes=0x28fa60*(Length=0x30, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: KeyHandle=0x28fb20*=0x0) returned 0xc0000034 [0048.938] RtlFreeAnsiString (AnsiString="\\") [0048.938] RtlAnsiStringToUnicodeString (in: DestinationString=0x28fa28, SourceString="SearchList", AllocateDestinationString=0 | out: DestinationString="SearchList") returned 0x0 [0048.938] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="SearchList", KeyValueInformationClass=0x1, KeyValueInformation=0x3f3980, Length=0x400, ResultLength=0x28fa20 | out: KeyValueInformation=0x3f3980*(TitleIndex=0x0, Type=0x1, DataOffset=0x28, DataLength=0x2, NameLength=0x14, Name="SearchList", Data=""), ResultLength=0x28fa20) returned 0x0 [0048.938] RtlUnicodeStringToAnsiString (in: DestinationString=0x28fa38, SourceString="", AllocateDestinationString=0 | out: DestinationString="") returned 0x0 [0048.938] RtlAnsiStringToUnicodeString (in: DestinationString=0x28fa28, SourceString="DhcpSearchList", AllocateDestinationString=0 | out: DestinationString="DhcpSearchList") returned 0x0 [0048.938] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="DhcpSearchList", KeyValueInformationClass=0x1, KeyValueInformation=0x3f3980, Length=0x400, ResultLength=0x28fa20 | out: KeyValueInformation=0x3f3980, ResultLength=0x28fa20) returned 0xc0000034 [0048.938] gethostname (in: name=0x6c5ed0, namelen=12800 | out: name="XDuwTfOno") returned 0 [0049.071] getenv (_VarName="HOME") returned 0x0 [0049.071] DnsQueryConfigAllocEx () returned 0x1dc1620 [0049.086] _vsnprintf (in: _DstBuf=0x28f9d0, _MaxCount=0x1e, _Format="%u.%u.%u.%u.in-addr.arpa.", _ArgList=0x27f948 | out: _DstBuf="1.0.168.192.in-addr.arpa.") returned 25 [0049.086] htons (hostshort=0x1) returned 0x100 [0049.086] htons (hostshort=0x1) returned 0x100 [0049.087] socket (af=2, type=2, protocol=0) returned 0x110 [0049.087] connect (s=0x110, name=0x1dc1640*(sa_family=2, sin_port=0x35, sin_addr="192.168.0.1"), namelen=16) returned 0 [0049.087] send (in: s=0x110, buf=0x27f9d0*, len=42, flags=0 | out: buf=0x27f9d0*) returned 42 [0049.088] select (in: nfds=272, readfds=0x26f440, writefds=0x0, exceptfds=0x0, timeout=0x26f418 | out: readfds=0x26f440, writefds=0x0, exceptfds=0x0) returned 1 [0049.088] recv (in: s=0x110, buf=0x26f930, len=65536, flags=0 | out: buf=0x26f930*) returned 42 [0049.088] closesocket (s=0x110) returned 0 [0049.088] RtlIpv4AddressToStringExA () returned 0xc000000d [0049.088] DnsFreeConfigStructure () returned 0x6db28501 [0049.088] strcpy_s (in: _Dst=0xcdfb0, _DstSize=0xc, _Src="UnKnown" | out: _Dst="UnKnown") returned 0x0 [0049.088] LocalAlloc (uFlags=0x40, uBytes=0x60) returned 0x3faba0 [0049.088] strcpy_s (in: _Dst=0xff0d3020, _DstSize=0x100, _Src="UnKnown" | out: _Dst="UnKnown") returned 0x0 [0049.088] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x35, dwLanguageId=0x0, lpBuffer=0x28f888, nSize=0x0, Arguments=0x28f880 | out: lpBuffer="`\x9c@") returned 0x7 [0049.089] fprintf (in: _File=0x7feffb12ab0, _Format="%-7s %s" | out: _File=0x7feffb12ab0) returned 16 [0049.089] fprintf (in: _File=0x7feffb12ab0, _Format="\nAddress:" | out: _File=0x7feffb12ab0) returned 9 [0049.089] inet_ntoa (in=0x100a8c0) returned="192.168.0.1" [0049.089] fprintf (in: _File=0x7feffb12ab0, _Format="%c %s" | out: _File=0x7feffb12ab0) returned 13 [0049.089] fprintf (in: _File=0x7feffb12ab0, _Format="\n\n" | out: _File=0x7feffb12ab0) returned 2 [0049.089] RtlIpv4StringToAddressA () returned 0x0 [0049.089] _vsnprintf (in: _DstBuf=0x28f6f0, _MaxCount=0x1e, _Format="%u.%u.%u.%u.in-addr.arpa.", _ArgList=0x27f668 | out: _DstBuf="255.0.168.192.in-addr.arpa.") returned 27 [0049.089] htons (hostshort=0x2) returned 0x200 [0049.089] htons (hostshort=0x1) returned 0x100 [0049.089] socket (af=2, type=2, protocol=0) returned 0x110 [0049.089] connect (s=0x110, name=0x3fabc0*(sa_family=2, sin_port=0x35, sin_addr="192.168.0.1"), namelen=16) returned 0 [0049.089] send (in: s=0x110, buf=0x27f6f0*, len=44, flags=0 | out: buf=0x27f6f0*) returned 44 [0049.089] select (in: nfds=272, readfds=0x26f160, writefds=0x0, exceptfds=0x0, timeout=0x26f138 | out: readfds=0x26f160, writefds=0x0, exceptfds=0x0) returned 1 [0049.090] recv (in: s=0x110, buf=0x26f650, len=65536, flags=0 | out: buf=0x26f650*) returned 103 [0049.090] closesocket (s=0x110) returned 0 [0049.090] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x34, dwLanguageId=0x400, lpBuffer=0x28f800, nSize=0x0, Arguments=0x28f808 | out: lpBuffer="\xf0\x8f\x3e") returned 0x3b [0049.090] CharToOemBuffA (in: lpszSrc="*** UnKnown can't find 192.168.0.255: Non-existent domain\r\n", lpszDst=0x3e8ff0, cchDstLength=0x3b | out: lpszDst="*** UnKnown can't find 192.168.0.255: Non-existent domain\r\n") returned 1 [0049.090] _write (in: _FileHandle=2, _Buf=0x3e8ff0*, _MaxCharCount=0x3b | out: _Buf=0x3e8ff0*) returned 59 [0049.090] LocalFree (hMem=0x3e8ff0) returned 0x0 [0049.091] LocalFree (hMem=0x3faba0) returned 0x0 [0049.091] exit (_Code=0) Thread: id = 327 os_tid = 0xaf4 Process: id = "24" image_name = "nslookup.exe" filename = "c:\\windows\\system32\\nslookup.exe" page_root = "0x438de000" os_pid = "0xaf8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x9cc" cmd_line = "C:\\Windows\\system32\\nslookup.exe 224.0.0.22" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e814" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2656 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2657 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2658 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2659 start_va = 0x150000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2660 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2661 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2662 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2663 start_va = 0x7fff1000 end_va = 0x7fff1fff entry_point = 0x0 region_type = private name = "private_0x000000007fff1000" filename = "" Region: id = 2664 start_va = 0xffa20000 end_va = 0xffa46fff entry_point = 0xffa20000 region_type = mapped_file name = "nslookup.exe" filename = "\\Windows\\System32\\nslookup.exe" (normalized: "c:\\windows\\system32\\nslookup.exe") Region: id = 2665 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2666 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2667 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 2668 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 2669 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 2670 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2671 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2672 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2673 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2674 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2675 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2676 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2677 start_va = 0xe0000 end_va = 0xe4fff entry_point = 0xe0000 region_type = mapped_file name = "nslookup.exe.mui" filename = "\\Windows\\System32\\en-US\\nslookup.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\nslookup.exe.mui") Region: id = 2678 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2679 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 2680 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 2681 start_va = 0x500000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2682 start_va = 0x510000 end_va = 0x697fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 2683 start_va = 0x6a0000 end_va = 0x820fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 2684 start_va = 0x830000 end_va = 0x1c2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 2685 start_va = 0x1cc0000 end_va = 0x1d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cc0000" filename = "" Region: id = 2686 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2687 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2688 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2689 start_va = 0x7fef9020000 end_va = 0x7fef9028fff entry_point = 0x7fef9020000 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\System32\\wsock32.dll" (normalized: "c:\\windows\\system32\\wsock32.dll") Region: id = 2690 start_va = 0x7fefcec0000 end_va = 0x7fefcf1afff entry_point = 0x7fefcec0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2691 start_va = 0x7fefd040000 end_va = 0x7fefd094fff entry_point = 0x7fefd040000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2692 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2693 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2694 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2695 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2696 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2697 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2698 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2699 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2700 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2701 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2702 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2703 start_va = 0x1d40000 end_va = 0x200efff entry_point = 0x1d40000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2704 start_va = 0x7fefca40000 end_va = 0x7fefca46fff entry_point = 0x7fefca40000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 2705 start_va = 0x7fefb300000 end_va = 0x7fefb314fff entry_point = 0x7fefb300000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 2706 start_va = 0x2010000 end_va = 0x20effff entry_point = 0x0 region_type = private name = "private_0x0000000002010000" filename = "" Region: id = 2707 start_va = 0x20f0000 end_va = 0x21fffff entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 2708 start_va = 0x7fefb9b0000 end_va = 0x7fefb9c4fff entry_point = 0x7fefb9b0000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 2709 start_va = 0x2140000 end_va = 0x21bffff entry_point = 0x0 region_type = private name = "private_0x0000000002140000" filename = "" Region: id = 2710 start_va = 0x21f0000 end_va = 0x21fffff entry_point = 0x0 region_type = private name = "private_0x00000000021f0000" filename = "" Region: id = 2711 start_va = 0x7fefb990000 end_va = 0x7fefb9a8fff entry_point = 0x7fefb990000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 2712 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 2713 start_va = 0x7fefba30000 end_va = 0x7fefba3afff entry_point = 0x7fefba30000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 2714 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2715 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2716 start_va = 0x7fefaf10000 end_va = 0x7fefaf20fff entry_point = 0x7fefaf10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2717 start_va = 0x7fefaef0000 end_va = 0x7fefaf07fff entry_point = 0x7fefaef0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Thread: id = 328 os_tid = 0xafc [0049.175] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cf930 | out: lpSystemTimeAsFileTime=0x1cf930*(dwLowDateTime=0x319fb170, dwHighDateTime=0x1d4af0a)) [0049.175] GetCurrentProcessId () returned 0xaf8 [0049.175] GetCurrentThreadId () returned 0xafc [0049.175] GetTickCount () returned 0x1b431 [0049.175] QueryPerformanceCounter (in: lpPerformanceCount=0x1cf938 | out: lpPerformanceCount=0x1cf938*=1816607600000) returned 1 [0049.177] GetModuleHandleW (lpModuleName=0x0) returned 0xffa20000 [0049.177] __set_app_type (_Type=0x1) [0049.177] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffa309f8) returned 0x0 [0049.177] __getmainargs (in: _Argc=0xffa3aa00, _Argv=0xffa3aa10, _Env=0xffa3aa08, _DoWildCard=0, _StartInfo=0xffa3aa1c | out: _Argc=0xffa3aa00, _Argv=0xffa3aa10, _Env=0xffa3aa08) returned 0 [0049.177] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0049.177] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0049.178] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0xffa42e80 | out: lpWSAData=0xffa42e80) returned 0 [0049.183] socket (af=2, type=2, protocol=0) returned 0x6c [0049.189] closesocket (s=0x6c) returned 0 [0049.190] RtlIpv4StringToAddressA () returned 0x0 [0049.190] RtlInitAnsiString (in: DestinationString=0x1cf790, SourceString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" | out: DestinationString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters") [0049.190] RtlAnsiStringToUnicodeString (in: DestinationString=0x1cf780, SourceString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", AllocateDestinationString=1 | out: DestinationString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters") returned 0x0 [0049.190] NtOpenKey (in: KeyHandle=0x1cf858, DesiredAccess=0x20019, ObjectAttributes=0x1cf7a0*(Length=0x30, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: KeyHandle=0x1cf858*=0x6c) returned 0x0 [0049.190] RtlFreeAnsiString (AnsiString="\\") [0049.190] RtlAnsiStringToUnicodeString (in: DestinationString=0x1cf768, SourceString="DNSLookupOrder", AllocateDestinationString=0 | out: DestinationString="DNSLookupOrder") returned 0x0 [0049.190] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="DNSLookupOrder", KeyValueInformationClass=0x1, KeyValueInformation=0x273980, Length=0x400, ResultLength=0x1cf760 | out: KeyValueInformation=0x273980, ResultLength=0x1cf760) returned 0xc0000034 [0049.191] RtlAnsiStringToUnicodeString (in: DestinationString=0x1cf768, SourceString="Domain", AllocateDestinationString=0 | out: DestinationString="Domain") returned 0x0 [0049.191] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="Domain", KeyValueInformationClass=0x1, KeyValueInformation=0x273980, Length=0x400, ResultLength=0x1cf760 | out: KeyValueInformation=0x273980*(TitleIndex=0x0, Type=0x1, DataOffset=0x20, DataLength=0x2, NameLength=0xc, Name="Domain", Data=""), ResultLength=0x1cf760) returned 0x0 [0049.191] RtlUnicodeStringToAnsiString (in: DestinationString=0x1cf778, SourceString="", AllocateDestinationString=0 | out: DestinationString="") returned 0x0 [0049.191] RtlAnsiStringToUnicodeString (in: DestinationString=0x1cf768, SourceString="DhcpDomain", AllocateDestinationString=0 | out: DestinationString="DhcpDomain") returned 0x0 [0049.191] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="DhcpDomain", KeyValueInformationClass=0x1, KeyValueInformation=0x273980, Length=0x400, ResultLength=0x1cf760 | out: KeyValueInformation=0x273980, ResultLength=0x1cf760) returned 0xc0000034 [0049.191] RtlInitAnsiString (in: DestinationString=0x1cf790, SourceString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient" | out: DestinationString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient") [0049.191] RtlAnsiStringToUnicodeString (in: DestinationString=0x1cf780, SourceString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient", AllocateDestinationString=1 | out: DestinationString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient") returned 0x0 [0049.191] NtOpenKey (in: KeyHandle=0x1cf860, DesiredAccess=0x20019, ObjectAttributes=0x1cf7a0*(Length=0x30, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: KeyHandle=0x1cf860*=0x0) returned 0xc0000034 [0049.191] RtlFreeAnsiString (AnsiString="\\") [0049.191] RtlAnsiStringToUnicodeString (in: DestinationString=0x1cf768, SourceString="SearchList", AllocateDestinationString=0 | out: DestinationString="SearchList") returned 0x0 [0049.191] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="SearchList", KeyValueInformationClass=0x1, KeyValueInformation=0x273980, Length=0x400, ResultLength=0x1cf760 | out: KeyValueInformation=0x273980*(TitleIndex=0x0, Type=0x1, DataOffset=0x28, DataLength=0x2, NameLength=0x14, Name="SearchList", Data=""), ResultLength=0x1cf760) returned 0x0 [0049.191] RtlUnicodeStringToAnsiString (in: DestinationString=0x1cf778, SourceString="", AllocateDestinationString=0 | out: DestinationString="") returned 0x0 [0049.191] RtlAnsiStringToUnicodeString (in: DestinationString=0x1cf768, SourceString="DhcpSearchList", AllocateDestinationString=0 | out: DestinationString="DhcpSearchList") returned 0x0 [0049.191] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="DhcpSearchList", KeyValueInformationClass=0x1, KeyValueInformation=0x273980, Length=0x400, ResultLength=0x1cf760 | out: KeyValueInformation=0x273980, ResultLength=0x1cf760) returned 0xc0000034 [0049.191] gethostname (in: name=0x505ed0, namelen=12800 | out: name="XDuwTfOno") returned 0 [0049.202] getenv (_VarName="HOME") returned 0x0 [0049.202] DnsQueryConfigAllocEx () returned 0x1cc1620 [0049.249] _vsnprintf (in: _DstBuf=0x1cf710, _MaxCount=0x1e, _Format="%u.%u.%u.%u.in-addr.arpa.", _ArgList=0x1bf688 | out: _DstBuf="1.0.168.192.in-addr.arpa.") returned 25 [0049.249] htons (hostshort=0x1) returned 0x100 [0049.249] htons (hostshort=0x1) returned 0x100 [0049.250] socket (af=2, type=2, protocol=0) returned 0x110 [0049.250] connect (s=0x110, name=0x1cc1640*(sa_family=2, sin_port=0x35, sin_addr="192.168.0.1"), namelen=16) returned 0 [0049.250] send (in: s=0x110, buf=0x1bf710*, len=42, flags=0 | out: buf=0x1bf710*) returned 42 [0049.250] select (in: nfds=272, readfds=0x1af180, writefds=0x0, exceptfds=0x0, timeout=0x1af158 | out: readfds=0x1af180, writefds=0x0, exceptfds=0x0) returned 1 [0049.250] recv (in: s=0x110, buf=0x1af670, len=65536, flags=0 | out: buf=0x1af670*) returned 42 [0049.250] closesocket (s=0x110) returned 0 [0049.251] RtlIpv4AddressToStringExA () returned 0xc000000d [0049.251] DnsFreeConfigStructure () returned 0x63b90d01 [0049.251] strcpy_s (in: _Dst=0x35df80, _DstSize=0xc, _Src="UnKnown" | out: _Dst="UnKnown") returned 0x0 [0049.251] LocalAlloc (uFlags=0x40, uBytes=0x60) returned 0x27aba0 [0049.251] strcpy_s (in: _Dst=0xffa43020, _DstSize=0x100, _Src="UnKnown" | out: _Dst="UnKnown") returned 0x0 [0049.251] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x35, dwLanguageId=0x0, lpBuffer=0x1cf5c8, nSize=0x0, Arguments=0x1cf5c0 | out: lpBuffer="`\x9c(") returned 0x7 [0049.251] fprintf (in: _File=0x7feffb12ab0, _Format="%-7s %s" | out: _File=0x7feffb12ab0) returned 16 [0049.251] fprintf (in: _File=0x7feffb12ab0, _Format="\nAddress:" | out: _File=0x7feffb12ab0) returned 9 [0049.251] inet_ntoa (in=0x100a8c0) returned="192.168.0.1" [0049.251] fprintf (in: _File=0x7feffb12ab0, _Format="%c %s" | out: _File=0x7feffb12ab0) returned 13 [0049.252] fprintf (in: _File=0x7feffb12ab0, _Format="\n\n" | out: _File=0x7feffb12ab0) returned 2 [0049.252] RtlIpv4StringToAddressA () returned 0x0 [0049.252] _vsnprintf (in: _DstBuf=0x1cf430, _MaxCount=0x1e, _Format="%u.%u.%u.%u.in-addr.arpa.", _ArgList=0x1bf3a8 | out: _DstBuf="22.0.0.224.in-addr.arpa.") returned 24 [0049.252] htons (hostshort=0x2) returned 0x200 [0049.252] htons (hostshort=0x1) returned 0x100 [0049.252] socket (af=2, type=2, protocol=0) returned 0x110 [0049.252] connect (s=0x110, name=0x27abc0*(sa_family=2, sin_port=0x35, sin_addr="192.168.0.1"), namelen=16) returned 0 [0049.252] send (in: s=0x110, buf=0x1bf430*, len=41, flags=0 | out: buf=0x1bf430*) returned 41 [0049.252] select (in: nfds=272, readfds=0x1aeea0, writefds=0x0, exceptfds=0x0, timeout=0x1aee78 | out: readfds=0x1aeea0, writefds=0x0, exceptfds=0x0) returned 1 [0049.897] recv (in: s=0x110, buf=0x1af390, len=65536, flags=0 | out: buf=0x1af390*) returned 69 [0049.897] closesocket (s=0x110) returned 0 [0049.898] htons (hostshort=0x100) returned 0x1 [0049.898] htons (hostshort=0x100) returned 0x1 [0049.899] htons (hostshort=0x0) returned 0x0 [0049.899] htons (hostshort=0x0) returned 0x0 [0049.900] LocalAlloc (uFlags=0x40, uBytes=0x60) returned 0x27aac0 [0049.900] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x31, dwLanguageId=0x0, lpBuffer=0x1cf528, nSize=0x0, Arguments=0x1cf520 | out: lpBuffer="p\x9c(") returned 0x5 [0049.900] fprintf (in: _File=0x7feffb12ab0, _Format="%-7s %s" | out: _File=0x7feffb12ab0) returned 23 [0049.900] fprintf (in: _File=0x7feffb12ab0, _Format="\nAddress:" | out: _File=0x7feffb12ab0) returned 9 [0049.900] inet_ntoa (in=0x160000e0) returned="224.0.0.22" [0049.901] fprintf (in: _File=0x7feffb12ab0, _Format="%c %s" | out: _File=0x7feffb12ab0) returned 12 [0049.901] fprintf (in: _File=0x7feffb12ab0, _Format="\n\n" | out: _File=0x7feffb12ab0) returned 2 [0049.901] LocalFree (hMem=0x27aba0) returned 0x0 [0049.901] exit (_Code=0) Thread: id = 330 os_tid = 0xb10 Process: id = "25" image_name = "nslookup.exe" filename = "c:\\windows\\system32\\nslookup.exe" page_root = "0x42be3000" os_pid = "0xb14" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x9cc" cmd_line = "C:\\Windows\\system32\\nslookup.exe 224.0.0.252" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e814" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2718 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2719 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2720 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2721 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2722 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2723 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2724 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2725 start_va = 0x7fff5000 end_va = 0x7fff5fff entry_point = 0x0 region_type = private name = "private_0x000000007fff5000" filename = "" Region: id = 2726 start_va = 0xffa40000 end_va = 0xffa66fff entry_point = 0xffa40000 region_type = mapped_file name = "nslookup.exe" filename = "\\Windows\\System32\\nslookup.exe" (normalized: "c:\\windows\\system32\\nslookup.exe") Region: id = 2727 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2728 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2729 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 2730 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2731 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 2732 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2733 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2734 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2735 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2736 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2737 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2738 start_va = 0x70000 end_va = 0x74fff entry_point = 0x70000 region_type = mapped_file name = "nslookup.exe.mui" filename = "\\Windows\\System32\\en-US\\nslookup.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\nslookup.exe.mui") Region: id = 2739 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 2740 start_va = 0x110000 end_va = 0x176fff entry_point = 0x110000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2741 start_va = 0x180000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 2742 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 2743 start_va = 0x520000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 2744 start_va = 0x530000 end_va = 0x6b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 2745 start_va = 0x6c0000 end_va = 0x840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 2746 start_va = 0x850000 end_va = 0x1c4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 2747 start_va = 0x1dd0000 end_va = 0x1e4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 2748 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2749 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2750 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2751 start_va = 0x7fef4c00000 end_va = 0x7fef4c08fff entry_point = 0x7fef4c00000 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\System32\\wsock32.dll" (normalized: "c:\\windows\\system32\\wsock32.dll") Region: id = 2752 start_va = 0x7fefcec0000 end_va = 0x7fefcf1afff entry_point = 0x7fefcec0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2753 start_va = 0x7fefd040000 end_va = 0x7fefd094fff entry_point = 0x7fefd040000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2754 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2755 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2756 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2757 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2758 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2759 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2760 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2761 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2762 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2763 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2764 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2765 start_va = 0x1e50000 end_va = 0x211efff entry_point = 0x1e50000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2766 start_va = 0x7fefca40000 end_va = 0x7fefca46fff entry_point = 0x7fefca40000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 2767 start_va = 0x7fefb300000 end_va = 0x7fefb314fff entry_point = 0x7fefb300000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 2768 start_va = 0x2120000 end_va = 0x22bffff entry_point = 0x0 region_type = private name = "private_0x0000000002120000" filename = "" Region: id = 2769 start_va = 0x3a0000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 2770 start_va = 0x7fefb9b0000 end_va = 0x7fefb9c4fff entry_point = 0x7fefb9b0000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 2771 start_va = 0x2150000 end_va = 0x21cffff entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 2772 start_va = 0x22b0000 end_va = 0x22bffff entry_point = 0x0 region_type = private name = "private_0x00000000022b0000" filename = "" Region: id = 2773 start_va = 0x7fefb990000 end_va = 0x7fefb9a8fff entry_point = 0x7fefb990000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 2774 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 2775 start_va = 0x7fefba30000 end_va = 0x7fefba3afff entry_point = 0x7fefba30000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 2776 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2777 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2778 start_va = 0x7fefaf10000 end_va = 0x7fefaf20fff entry_point = 0x7fefaf10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2779 start_va = 0x7fefaef0000 end_va = 0x7fefaf07fff entry_point = 0x7fefaef0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Thread: id = 331 os_tid = 0xb18 [0050.263] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10f7f0 | out: lpSystemTimeAsFileTime=0x10f7f0*(dwLowDateTime=0x324651b0, dwHighDateTime=0x1d4af0a)) [0050.263] GetCurrentProcessId () returned 0xb14 [0050.263] GetCurrentThreadId () returned 0xb18 [0050.263] GetTickCount () returned 0x1b875 [0050.263] QueryPerformanceCounter (in: lpPerformanceCount=0x10f7f8 | out: lpPerformanceCount=0x10f7f8*=1816716400000) returned 1 [0050.265] GetModuleHandleW (lpModuleName=0x0) returned 0xffa40000 [0050.265] __set_app_type (_Type=0x1) [0050.265] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffa509f8) returned 0x0 [0050.265] __getmainargs (in: _Argc=0xffa5aa00, _Argv=0xffa5aa10, _Env=0xffa5aa08, _DoWildCard=0, _StartInfo=0xffa5aa1c | out: _Argc=0xffa5aa00, _Argv=0xffa5aa10, _Env=0xffa5aa08) returned 0 [0050.265] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0050.265] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0050.265] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0xffa62e80 | out: lpWSAData=0xffa62e80) returned 0 [0050.273] socket (af=2, type=2, protocol=0) returned 0x6c [0050.274] closesocket (s=0x6c) returned 0 [0050.274] RtlIpv4StringToAddressA () returned 0x0 [0050.274] RtlInitAnsiString (in: DestinationString=0x10f650, SourceString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" | out: DestinationString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters") [0050.274] RtlAnsiStringToUnicodeString (in: DestinationString=0x10f640, SourceString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", AllocateDestinationString=1 | out: DestinationString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters") returned 0x0 [0050.274] NtOpenKey (in: KeyHandle=0x10f718, DesiredAccess=0x20019, ObjectAttributes=0x10f660*(Length=0x30, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: KeyHandle=0x10f718*=0x6c) returned 0x0 [0050.274] RtlFreeAnsiString (AnsiString="\\") [0050.275] RtlAnsiStringToUnicodeString (in: DestinationString=0x10f628, SourceString="DNSLookupOrder", AllocateDestinationString=0 | out: DestinationString="DNSLookupOrder") returned 0x0 [0050.275] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="DNSLookupOrder", KeyValueInformationClass=0x1, KeyValueInformation=0x2c3980, Length=0x400, ResultLength=0x10f620 | out: KeyValueInformation=0x2c3980, ResultLength=0x10f620) returned 0xc0000034 [0050.275] RtlAnsiStringToUnicodeString (in: DestinationString=0x10f628, SourceString="Domain", AllocateDestinationString=0 | out: DestinationString="Domain") returned 0x0 [0050.275] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="Domain", KeyValueInformationClass=0x1, KeyValueInformation=0x2c3980, Length=0x400, ResultLength=0x10f620 | out: KeyValueInformation=0x2c3980*(TitleIndex=0x0, Type=0x1, DataOffset=0x20, DataLength=0x2, NameLength=0xc, Name="Domain", Data=""), ResultLength=0x10f620) returned 0x0 [0050.275] RtlUnicodeStringToAnsiString (in: DestinationString=0x10f638, SourceString="", AllocateDestinationString=0 | out: DestinationString="") returned 0x0 [0050.275] RtlAnsiStringToUnicodeString (in: DestinationString=0x10f628, SourceString="DhcpDomain", AllocateDestinationString=0 | out: DestinationString="DhcpDomain") returned 0x0 [0050.275] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="DhcpDomain", KeyValueInformationClass=0x1, KeyValueInformation=0x2c3980, Length=0x400, ResultLength=0x10f620 | out: KeyValueInformation=0x2c3980, ResultLength=0x10f620) returned 0xc0000034 [0050.275] RtlInitAnsiString (in: DestinationString=0x10f650, SourceString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient" | out: DestinationString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient") [0050.275] RtlAnsiStringToUnicodeString (in: DestinationString=0x10f640, SourceString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient", AllocateDestinationString=1 | out: DestinationString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient") returned 0x0 [0050.275] NtOpenKey (in: KeyHandle=0x10f720, DesiredAccess=0x20019, ObjectAttributes=0x10f660*(Length=0x30, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: KeyHandle=0x10f720*=0x0) returned 0xc0000034 [0050.275] RtlFreeAnsiString (AnsiString="\\") [0050.275] RtlAnsiStringToUnicodeString (in: DestinationString=0x10f628, SourceString="SearchList", AllocateDestinationString=0 | out: DestinationString="SearchList") returned 0x0 [0050.275] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="SearchList", KeyValueInformationClass=0x1, KeyValueInformation=0x2c3980, Length=0x400, ResultLength=0x10f620 | out: KeyValueInformation=0x2c3980*(TitleIndex=0x0, Type=0x1, DataOffset=0x28, DataLength=0x2, NameLength=0x14, Name="SearchList", Data=""), ResultLength=0x10f620) returned 0x0 [0050.275] RtlUnicodeStringToAnsiString (in: DestinationString=0x10f638, SourceString="", AllocateDestinationString=0 | out: DestinationString="") returned 0x0 [0050.275] RtlAnsiStringToUnicodeString (in: DestinationString=0x10f628, SourceString="DhcpSearchList", AllocateDestinationString=0 | out: DestinationString="DhcpSearchList") returned 0x0 [0050.275] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="DhcpSearchList", KeyValueInformationClass=0x1, KeyValueInformation=0x2c3980, Length=0x400, ResultLength=0x10f620 | out: KeyValueInformation=0x2c3980, ResultLength=0x10f620) returned 0xc0000034 [0050.275] gethostname (in: name=0x525ed0, namelen=12800 | out: name="XDuwTfOno") returned 0 [0050.291] getenv (_VarName="HOME") returned 0x0 [0050.291] DnsQueryConfigAllocEx () returned 0x1dd1620 [0050.353] _vsnprintf (in: _DstBuf=0x10f5d0, _MaxCount=0x1e, _Format="%u.%u.%u.%u.in-addr.arpa.", _ArgList=0xff548 | out: _DstBuf="1.0.168.192.in-addr.arpa.") returned 25 [0050.353] htons (hostshort=0x1) returned 0x100 [0050.353] htons (hostshort=0x1) returned 0x100 [0050.355] socket (af=2, type=2, protocol=0) returned 0x110 [0050.355] connect (s=0x110, name=0x1dd1640*(sa_family=2, sin_port=0x35, sin_addr="192.168.0.1"), namelen=16) returned 0 [0050.355] send (in: s=0x110, buf=0xff5d0*, len=42, flags=0 | out: buf=0xff5d0*) returned 42 [0050.355] select (in: nfds=272, readfds=0xef040, writefds=0x0, exceptfds=0x0, timeout=0xef018 | out: readfds=0xef040, writefds=0x0, exceptfds=0x0) returned 1 [0050.355] recv (in: s=0x110, buf=0xef530, len=65536, flags=0 | out: buf=0xef530*) returned 42 [0050.355] closesocket (s=0x110) returned 0 [0050.355] RtlIpv4AddressToStringExA () returned 0xc000000d [0050.355] DnsFreeConfigStructure () returned 0x36fc5f01 [0050.356] strcpy_s (in: _Dst=0x18df80, _DstSize=0xc, _Src="UnKnown" | out: _Dst="UnKnown") returned 0x0 [0050.356] LocalAlloc (uFlags=0x40, uBytes=0x60) returned 0x2caba0 [0050.356] strcpy_s (in: _Dst=0xffa63020, _DstSize=0x100, _Src="UnKnown" | out: _Dst="UnKnown") returned 0x0 [0050.356] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x35, dwLanguageId=0x0, lpBuffer=0x10f488, nSize=0x0, Arguments=0x10f480 | out: lpBuffer="`\x9c-") returned 0x7 [0050.356] fprintf (in: _File=0x7feffb12ab0, _Format="%-7s %s" | out: _File=0x7feffb12ab0) returned 16 [0050.356] fprintf (in: _File=0x7feffb12ab0, _Format="\nAddress:" | out: _File=0x7feffb12ab0) returned 9 [0050.356] inet_ntoa (in=0x100a8c0) returned="192.168.0.1" [0050.356] fprintf (in: _File=0x7feffb12ab0, _Format="%c %s" | out: _File=0x7feffb12ab0) returned 13 [0050.356] fprintf (in: _File=0x7feffb12ab0, _Format="\n\n" | out: _File=0x7feffb12ab0) returned 2 [0050.356] RtlIpv4StringToAddressA () returned 0x0 [0050.356] _vsnprintf (in: _DstBuf=0x10f2f0, _MaxCount=0x1e, _Format="%u.%u.%u.%u.in-addr.arpa.", _ArgList=0xff268 | out: _DstBuf="252.0.0.224.in-addr.arpa.") returned 25 [0050.356] htons (hostshort=0x2) returned 0x200 [0050.356] htons (hostshort=0x1) returned 0x100 [0050.356] socket (af=2, type=2, protocol=0) returned 0x110 [0050.357] connect (s=0x110, name=0x2cabc0*(sa_family=2, sin_port=0x35, sin_addr="192.168.0.1"), namelen=16) returned 0 [0050.357] send (in: s=0x110, buf=0xff2f0*, len=42, flags=0 | out: buf=0xff2f0*) returned 42 [0050.357] select (in: nfds=272, readfds=0xeed60, writefds=0x0, exceptfds=0x0, timeout=0xeed38 | out: readfds=0xeed60, writefds=0x0, exceptfds=0x0) returned 1 [0050.597] recv (in: s=0x110, buf=0xef250, len=65536, flags=0 | out: buf=0xef250*) returned 99 [0050.598] closesocket (s=0x110) returned 0 [0050.600] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x34, dwLanguageId=0x400, lpBuffer=0x10f400, nSize=0x0, Arguments=0x10f408 | out: lpBuffer="\xf0\x8f\x2b") returned 0x39 [0050.607] CharToOemBuffA (in: lpszSrc="*** UnKnown can't find 224.0.0.252: Non-existent domain\r\n", lpszDst=0x2b8ff0, cchDstLength=0x39 | out: lpszDst="*** UnKnown can't find 224.0.0.252: Non-existent domain\r\n") returned 1 [0050.608] _write (in: _FileHandle=2, _Buf=0x2b8ff0*, _MaxCharCount=0x39 | out: _Buf=0x2b8ff0*) returned 57 [0050.624] LocalFree (hMem=0x2b8ff0) returned 0x0 [0050.635] LocalFree (hMem=0x2caba0) returned 0x0 [0050.640] exit (_Code=0) Thread: id = 333 os_tid = 0xb2c Process: id = "26" image_name = "nslookup.exe" filename = "c:\\windows\\system32\\nslookup.exe" page_root = "0x418e8000" os_pid = "0xb30" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x9cc" cmd_line = "C:\\Windows\\system32\\nslookup.exe 255.255.255.255" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e814" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2780 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2781 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2782 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2783 start_va = 0xd0000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2784 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2785 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2786 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2787 start_va = 0x7fffe000 end_va = 0x7fffefff entry_point = 0x0 region_type = private name = "private_0x000000007fffe000" filename = "" Region: id = 2788 start_va = 0xff490000 end_va = 0xff4b6fff entry_point = 0xff490000 region_type = mapped_file name = "nslookup.exe" filename = "\\Windows\\System32\\nslookup.exe" (normalized: "c:\\windows\\system32\\nslookup.exe") Region: id = 2789 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2790 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2791 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2792 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2793 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 2794 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2795 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2796 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2797 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2798 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2799 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2800 start_va = 0x150000 end_va = 0x151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 2801 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2802 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2803 start_va = 0x270000 end_va = 0x274fff entry_point = 0x270000 region_type = mapped_file name = "nslookup.exe.mui" filename = "\\Windows\\System32\\en-US\\nslookup.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\nslookup.exe.mui") Region: id = 2804 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 2805 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 2806 start_va = 0x3c0000 end_va = 0x547fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 2807 start_va = 0x550000 end_va = 0x6d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 2808 start_va = 0x6e0000 end_va = 0x1adffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 2809 start_va = 0x1c40000 end_va = 0x1cbffff entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 2810 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2811 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2812 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2813 start_va = 0x7fef9020000 end_va = 0x7fef9028fff entry_point = 0x7fef9020000 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\System32\\wsock32.dll" (normalized: "c:\\windows\\system32\\wsock32.dll") Region: id = 2814 start_va = 0x7fefcec0000 end_va = 0x7fefcf1afff entry_point = 0x7fefcec0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2815 start_va = 0x7fefd040000 end_va = 0x7fefd094fff entry_point = 0x7fefd040000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2816 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2817 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2818 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2819 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2820 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2821 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2822 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2823 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2824 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2825 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2826 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2827 start_va = 0x1cc0000 end_va = 0x1f8efff entry_point = 0x1cc0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2828 start_va = 0x7fefca40000 end_va = 0x7fefca46fff entry_point = 0x7fefca40000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 2829 start_va = 0x7fefb300000 end_va = 0x7fefb314fff entry_point = 0x7fefb300000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 2830 start_va = 0x1f90000 end_va = 0x213ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2831 start_va = 0x1ae0000 end_va = 0x1b6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ae0000" filename = "" Region: id = 2832 start_va = 0x7fefb9b0000 end_va = 0x7fefb9c4fff entry_point = 0x7fefb9b0000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 2833 start_va = 0x2180000 end_va = 0x21fffff entry_point = 0x0 region_type = private name = "private_0x0000000002180000" filename = "" Region: id = 2834 start_va = 0x7fefb990000 end_va = 0x7fefb9a8fff entry_point = 0x7fefb990000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 2835 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2836 start_va = 0x7fefba30000 end_va = 0x7fefba3afff entry_point = 0x7fefba30000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 2837 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2838 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2839 start_va = 0x7fefaf10000 end_va = 0x7fefaf20fff entry_point = 0x7fefaf10000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2840 start_va = 0x7fefaef0000 end_va = 0x7fefaf07fff entry_point = 0x7fefaef0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Thread: id = 334 os_tid = 0xb34 [0051.135] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x14fb10 | out: lpSystemTimeAsFileTime=0x14fb10*(dwLowDateTime=0x32cb9eb0, dwHighDateTime=0x1d4af0a)) [0051.135] GetCurrentProcessId () returned 0xb30 [0051.135] GetCurrentThreadId () returned 0xb34 [0051.135] GetTickCount () returned 0x1bbdf [0051.135] QueryPerformanceCounter (in: lpPerformanceCount=0x14fb18 | out: lpPerformanceCount=0x14fb18*=1816803600000) returned 1 [0051.137] GetModuleHandleW (lpModuleName=0x0) returned 0xff490000 [0051.137] __set_app_type (_Type=0x1) [0051.137] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff4a09f8) returned 0x0 [0051.137] __getmainargs (in: _Argc=0xff4aaa00, _Argv=0xff4aaa10, _Env=0xff4aaa08, _DoWildCard=0, _StartInfo=0xff4aaa1c | out: _Argc=0xff4aaa00, _Argv=0xff4aaa10, _Env=0xff4aaa08) returned 0 [0051.137] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0051.137] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0051.138] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0xff4b2e80 | out: lpWSAData=0xff4b2e80) returned 0 [0051.142] socket (af=2, type=2, protocol=0) returned 0x6c [0051.144] closesocket (s=0x6c) returned 0 [0051.144] RtlIpv4StringToAddressA () returned 0x0 [0051.144] RtlInitAnsiString (in: DestinationString=0x14f970, SourceString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters" | out: DestinationString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters") [0051.144] RtlAnsiStringToUnicodeString (in: DestinationString=0x14f960, SourceString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", AllocateDestinationString=1 | out: DestinationString="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters") returned 0x0 [0051.144] NtOpenKey (in: KeyHandle=0x14fa38, DesiredAccess=0x20019, ObjectAttributes=0x14f980*(Length=0x30, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: KeyHandle=0x14fa38*=0x6c) returned 0x0 [0051.144] RtlFreeAnsiString (AnsiString="\\") [0051.144] RtlAnsiStringToUnicodeString (in: DestinationString=0x14f948, SourceString="DNSLookupOrder", AllocateDestinationString=0 | out: DestinationString="DNSLookupOrder") returned 0x0 [0051.144] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="DNSLookupOrder", KeyValueInformationClass=0x1, KeyValueInformation=0x2e3990, Length=0x400, ResultLength=0x14f940 | out: KeyValueInformation=0x2e3990, ResultLength=0x14f940) returned 0xc0000034 [0051.145] RtlAnsiStringToUnicodeString (in: DestinationString=0x14f948, SourceString="Domain", AllocateDestinationString=0 | out: DestinationString="Domain") returned 0x0 [0051.145] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="Domain", KeyValueInformationClass=0x1, KeyValueInformation=0x2e3990, Length=0x400, ResultLength=0x14f940 | out: KeyValueInformation=0x2e3990*(TitleIndex=0x0, Type=0x1, DataOffset=0x20, DataLength=0x2, NameLength=0xc, Name="Domain", Data=""), ResultLength=0x14f940) returned 0x0 [0051.145] RtlUnicodeStringToAnsiString (in: DestinationString=0x14f958, SourceString="", AllocateDestinationString=0 | out: DestinationString="") returned 0x0 [0051.145] RtlAnsiStringToUnicodeString (in: DestinationString=0x14f948, SourceString="DhcpDomain", AllocateDestinationString=0 | out: DestinationString="DhcpDomain") returned 0x0 [0051.145] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="DhcpDomain", KeyValueInformationClass=0x1, KeyValueInformation=0x2e3990, Length=0x400, ResultLength=0x14f940 | out: KeyValueInformation=0x2e3990, ResultLength=0x14f940) returned 0xc0000034 [0051.145] RtlInitAnsiString (in: DestinationString=0x14f970, SourceString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient" | out: DestinationString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient") [0051.145] RtlAnsiStringToUnicodeString (in: DestinationString=0x14f960, SourceString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient", AllocateDestinationString=1 | out: DestinationString="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient") returned 0x0 [0051.145] NtOpenKey (in: KeyHandle=0x14fa40, DesiredAccess=0x20019, ObjectAttributes=0x14f980*(Length=0x30, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\Software\\Policies\\Microsoft\\Windows NT\\DNSClient", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: KeyHandle=0x14fa40*=0x0) returned 0xc0000034 [0051.145] RtlFreeAnsiString (AnsiString="\\") [0051.145] RtlAnsiStringToUnicodeString (in: DestinationString=0x14f948, SourceString="SearchList", AllocateDestinationString=0 | out: DestinationString="SearchList") returned 0x0 [0051.145] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="SearchList", KeyValueInformationClass=0x1, KeyValueInformation=0x2e3990, Length=0x400, ResultLength=0x14f940 | out: KeyValueInformation=0x2e3990*(TitleIndex=0x0, Type=0x1, DataOffset=0x28, DataLength=0x2, NameLength=0x14, Name="SearchList", Data=""), ResultLength=0x14f940) returned 0x0 [0051.145] RtlUnicodeStringToAnsiString (in: DestinationString=0x14f958, SourceString="", AllocateDestinationString=0 | out: DestinationString="") returned 0x0 [0051.145] RtlAnsiStringToUnicodeString (in: DestinationString=0x14f948, SourceString="DhcpSearchList", AllocateDestinationString=0 | out: DestinationString="DhcpSearchList") returned 0x0 [0051.145] NtQueryValueKey (in: KeyHandle=0x6c, ValueName="DhcpSearchList", KeyValueInformationClass=0x1, KeyValueInformation=0x2e3990, Length=0x400, ResultLength=0x14f940 | out: KeyValueInformation=0x2e3990, ResultLength=0x14f940) returned 0xc0000034 [0051.145] gethostname (in: name=0x165ed0, namelen=12800 | out: name="XDuwTfOno") returned 0 [0051.178] getenv (_VarName="HOME") returned 0x0 [0051.178] DnsQueryConfigAllocEx () returned 0x1c41620 [0051.201] _vsnprintf (in: _DstBuf=0x14f8f0, _MaxCount=0x1e, _Format="%u.%u.%u.%u.in-addr.arpa.", _ArgList=0x13f868 | out: _DstBuf="1.0.168.192.in-addr.arpa.") returned 25 [0051.201] htons (hostshort=0x1) returned 0x100 [0051.201] htons (hostshort=0x1) returned 0x100 [0051.202] socket (af=2, type=2, protocol=0) returned 0x110 [0051.202] connect (s=0x110, name=0x1c41640*(sa_family=2, sin_port=0x35, sin_addr="192.168.0.1"), namelen=16) returned 0 [0051.202] send (in: s=0x110, buf=0x13f8f0*, len=42, flags=0 | out: buf=0x13f8f0*) returned 42 [0051.203] select (in: nfds=272, readfds=0x12f360, writefds=0x0, exceptfds=0x0, timeout=0x12f338 | out: readfds=0x12f360, writefds=0x0, exceptfds=0x0) returned 1 [0051.203] recv (in: s=0x110, buf=0x12f850, len=65536, flags=0 | out: buf=0x12f850*) returned 42 [0051.203] closesocket (s=0x110) returned 0 [0051.203] RtlIpv4AddressToStringExA () returned 0xc000000d [0051.203] DnsFreeConfigStructure () returned 0xfbd2f01 [0051.203] strcpy_s (in: _Dst=0x17dfb0, _DstSize=0xc, _Src="UnKnown" | out: _Dst="UnKnown") returned 0x0 [0051.203] LocalAlloc (uFlags=0x40, uBytes=0x60) returned 0x2eabb0 [0051.203] strcpy_s (in: _Dst=0xff4b3020, _DstSize=0x100, _Src="UnKnown" | out: _Dst="UnKnown") returned 0x0 [0051.204] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x35, dwLanguageId=0x0, lpBuffer=0x14f7a8, nSize=0x0, Arguments=0x14f7a0 | out: lpBuffer="p\x9c/") returned 0x7 [0051.204] fprintf (in: _File=0x7feffb12ab0, _Format="%-7s %s" | out: _File=0x7feffb12ab0) returned 16 [0051.204] fprintf (in: _File=0x7feffb12ab0, _Format="\nAddress:" | out: _File=0x7feffb12ab0) returned 9 [0051.204] inet_ntoa (in=0x100a8c0) returned="192.168.0.1" [0051.204] fprintf (in: _File=0x7feffb12ab0, _Format="%c %s" | out: _File=0x7feffb12ab0) returned 13 [0051.204] fprintf (in: _File=0x7feffb12ab0, _Format="\n\n" | out: _File=0x7feffb12ab0) returned 2 [0051.204] RtlIpv4StringToAddressA () returned 0x0 [0051.204] _vsnprintf (in: _DstBuf=0x14f610, _MaxCount=0x1e, _Format="%u.%u.%u.%u.in-addr.arpa.", _ArgList=0x13f588 | out: _DstBuf="255.255.255.255.in-addr.arpa.") returned 29 [0051.204] htons (hostshort=0x2) returned 0x200 [0051.204] htons (hostshort=0x1) returned 0x100 [0051.204] socket (af=2, type=2, protocol=0) returned 0x110 [0051.204] connect (s=0x110, name=0x2eabd0*(sa_family=2, sin_port=0x35, sin_addr="192.168.0.1"), namelen=16) returned 0 [0051.204] send (in: s=0x110, buf=0x13f610*, len=46, flags=0 | out: buf=0x13f610*) returned 46 [0051.205] select (in: nfds=272, readfds=0x12f080, writefds=0x0, exceptfds=0x0, timeout=0x12f058 | out: readfds=0x12f080, writefds=0x0, exceptfds=0x0) returned 1 [0051.208] recv (in: s=0x110, buf=0x12f570, len=65536, flags=0 | out: buf=0x12f570*) returned 105 [0051.208] closesocket (s=0x110) returned 0 [0051.209] htons (hostshort=0x100) returned 0x1 [0051.209] htons (hostshort=0x0) returned 0x0 [0051.209] htons (hostshort=0x100) returned 0x1 [0051.209] htons (hostshort=0x0) returned 0x0 [0051.210] htons (hostshort=0x100) returned 0x1 [0051.210] htons (hostshort=0x0) returned 0x0 [0051.317] fputs (in: _Str="255.255.255.255.in-addr.arpa", _File=0x7feffb12ab0 | out: _File=0x7feffb12ab0) returned 0 [0051.319] fputc (in: _Ch=10, _File=0x7feffb12ab0 | out: _File=0x7feffb12ab0) returned 10 [0051.319] fprintf (in: _File=0x7feffb12ab0, _Format="\x09primary name server = " | out: _File=0x7feffb12ab0) returned 23 [0051.319] fputs (in: _Str="localhost", _File=0x7feffb12ab0 | out: _File=0x7feffb12ab0) returned 0 [0051.319] fprintf (in: _File=0x7feffb12ab0, _Format="\n\x09responsible mail addr = " | out: _File=0x7feffb12ab0) returned 26 [0051.319] fputs (in: _Str="nobody.invalid", _File=0x7feffb12ab0 | out: _File=0x7feffb12ab0) returned 0 [0051.319] fprintf (in: _File=0x7feffb12ab0, _Format="\n\x09serial = %lu" | out: _File=0x7feffb12ab0) returned 13 [0051.319] sprintf_s (in: _DstBuf=0xff4b2138, _DstSize=0x28, _Format="%d hour%s" | out: _DstBuf="1 hour") returned 6 [0051.319] fprintf (in: _File=0x7feffb12ab0, _Format="\n\x09refresh = %lu (%s)" | out: _File=0x7feffb12ab0) returned 25 [0051.319] sprintf_s (in: _DstBuf=0xff4b2138, _DstSize=0x28, _Format="%d min%s" | out: _DstBuf="20 mins") returned 7 [0051.319] fprintf (in: _File=0x7feffb12ab0, _Format="\n\x09retry = %lu (%s)" | out: _File=0x7feffb12ab0) returned 26 [0051.319] sprintf_s (in: _DstBuf=0xff4b2138, _DstSize=0x28, _Format="%d day%s" | out: _DstBuf="7 days") returned 6 [0051.319] fprintf (in: _File=0x7feffb12ab0, _Format="\n\x09expire = %lu (%s)" | out: _File=0x7feffb12ab0) returned 27 [0051.319] sprintf_s (in: _DstBuf=0xff4b2138, _DstSize=0x28, _Format="%d hour%s" | out: _DstBuf="3 hours") returned 7 [0051.319] fprintf (in: _File=0x7feffb12ab0, _Format="\n\x09default TTL = %lu (%s)\n" | out: _File=0x7feffb12ab0) returned 32 [0051.330] htons (hostshort=0x100) returned 0x1 [0051.331] htons (hostshort=0x0) returned 0x0 [0051.331] htons (hostshort=0x100) returned 0x1 [0051.332] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x32, dwLanguageId=0x400, lpBuffer=0x14f720, nSize=0x0, Arguments=0x14f728 | out: lpBuffer="\xd0\xaa\x2e") returned 0x66 [0051.334] CharToOemBuffA (in: lpszSrc="*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for 255.255.255.255\r\n", lpszDst=0x2eaad0, cchDstLength=0x66 | out: lpszDst="*** No internal type for both IPv4 and IPv6 Addresses (A+AAAA) records available for 255.255.255.255\r\n") returned 1 [0051.335] _write (in: _FileHandle=2, _Buf=0x2eaad0*, _MaxCharCount=0x66 | out: _Buf=0x2eaad0*) returned 102 [0051.352] LocalFree (hMem=0x2eaad0) returned 0x0 [0051.353] LocalFree (hMem=0x2eabb0) returned 0x0 [0051.354] exit (_Code=0) Thread: id = 336 os_tid = 0xb48 Process: id = "27" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x416ee000" os_pid = "0xb4c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0x9cc" cmd_line = "C:\\Windows\\system32\\net.exe view igmp.mcast.net" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e814" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2841 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2842 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2843 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2844 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2845 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2846 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2847 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2848 start_va = 0x7fff9000 end_va = 0x7fff9fff entry_point = 0x0 region_type = private name = "private_0x000000007fff9000" filename = "" Region: id = 2849 start_va = 0xff120000 end_va = 0xff13bfff entry_point = 0xff120000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 2850 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2851 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2852 start_va = 0x7fffffdd000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 2853 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2854 start_va = 0x140000 end_va = 0x23ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 2855 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2856 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2857 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2858 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2859 start_va = 0x240000 end_va = 0x2a6fff entry_point = 0x240000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2860 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 2861 start_va = 0x470000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 2862 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2863 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2864 start_va = 0x7fef4bf0000 end_va = 0x7fef4c01fff entry_point = 0x7fef4bf0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 2865 start_va = 0x7fefac90000 end_va = 0x7fefaca7fff entry_point = 0x7fefac90000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 2866 start_va = 0x7fefb130000 end_va = 0x7fefb13afff entry_point = 0x7fefb130000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2867 start_va = 0x7fefb140000 end_va = 0x7fefb166fff entry_point = 0x7fefb140000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2868 start_va = 0x7fefb890000 end_va = 0x7fefb8a3fff entry_point = 0x7fefb890000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 2869 start_va = 0x7fefb8b0000 end_va = 0x7fefb8c4fff entry_point = 0x7fefb8b0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2870 start_va = 0x7fefb8d0000 end_va = 0x7fefb8dbfff entry_point = 0x7fefb8d0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2871 start_va = 0x7fefd5a0000 end_va = 0x7fefd5c2fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 2872 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2873 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2874 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2875 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2876 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3171 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 3172 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 3173 start_va = 0x480000 end_va = 0x872fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 3174 start_va = 0x9b0000 end_va = 0xa2ffff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 3175 start_va = 0x750e0000 end_va = 0x750e1fff entry_point = 0x750e0000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Region: id = 3176 start_va = 0x7fef92d0000 end_va = 0x7fef92defff entry_point = 0x7fef92d0000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 3177 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Thread: id = 337 os_tid = 0xb50 Thread: id = 392 os_tid = 0x6a0 Process: id = "28" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x9c96000" os_pid = "0xbc4" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x1d4" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AppIDSvc" [0xa], "NT SERVICE\\FDResPub" [0xa], "NT SERVICE\\FontCache" [0xe], "NT SERVICE\\Mcx2Svc" [0xa], "NT SERVICE\\QWAVE" [0xa], "NT SERVICE\\SCardSvr" [0xa], "NT SERVICE\\SensrSvc" [0xa], "NT SERVICE\\SSDPSRV" [0xa], "NT SERVICE\\TBS" [0xa], "NT SERVICE\\upnphost" [0xa], "NT SERVICE\\wcncsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0004c96d" [0xc000000f], "LOCAL" [0x7] Region: id = 2979 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2980 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2981 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2982 start_va = 0x90000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2983 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2984 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2985 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2986 start_va = 0xfff20000 end_va = 0xfff2afff entry_point = 0xfff20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2987 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2988 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2989 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2990 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 2991 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 2992 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2993 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2994 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2995 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2996 start_va = 0x50000 end_va = 0x51fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2997 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 2998 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 2999 start_va = 0x110000 end_va = 0x176fff entry_point = 0x110000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3000 start_va = 0x180000 end_va = 0x23ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 3001 start_va = 0x250000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 3002 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 3003 start_va = 0x4b0000 end_va = 0x637fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 3004 start_va = 0x640000 end_va = 0x7c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 3005 start_va = 0x7d0000 end_va = 0xbc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 3006 start_va = 0xc70000 end_va = 0xceffff entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 3007 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3008 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3009 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3010 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3011 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3012 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3013 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3014 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3015 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3016 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3017 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3018 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3019 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3020 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 3066 start_va = 0xda0000 end_va = 0xe1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 3067 start_va = 0xe90000 end_va = 0xf0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 3068 start_va = 0xf30000 end_va = 0xfaffff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 3069 start_va = 0xfb0000 end_va = 0x127efff entry_point = 0xfb0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3070 start_va = 0x7fef4250000 end_va = 0x7fef436afff entry_point = 0x7fef4250000 region_type = mapped_file name = "fntcache.dll" filename = "\\Windows\\System32\\FntCache.dll" (normalized: "c:\\windows\\system32\\fntcache.dll") Region: id = 3071 start_va = 0x7fefacb0000 end_va = 0x7fefacb9fff entry_point = 0x7fefacb0000 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 3072 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3073 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 3074 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 3075 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 3121 start_va = 0x16b0000 end_va = 0x172ffff entry_point = 0x0 region_type = private name = "private_0x00000000016b0000" filename = "" Region: id = 3122 start_va = 0x1730000 end_va = 0x1b2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001730000" filename = "" Region: id = 3123 start_va = 0x7fefc7a0000 end_va = 0x7fefc7ccfff entry_point = 0x7fefc7a0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 3124 start_va = 0x7feff600000 end_va = 0x7feff651fff entry_point = 0x7feff600000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 3125 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Thread: id = 362 os_tid = 0xbc8 Thread: id = 363 os_tid = 0xbcc Thread: id = 364 os_tid = 0xbd0 Thread: id = 365 os_tid = 0xbd4 Thread: id = 367 os_tid = 0xbd8 Thread: id = 385 os_tid = 0x658 Thread: id = 438 os_tid = 0x8d8 Thread: id = 443 os_tid = 0x8c0 Process: id = "29" image_name = "sppsvc.exe" filename = "c:\\windows\\system32\\sppsvc.exe" page_root = "0x45ba6000" os_pid = "0x76c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x1d4" cmd_line = "C:\\Windows\\system32\\sppsvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\sppsvc" [0xe], "NT AUTHORITY\\Logon Session 00000000:0004d99c" [0xc000000f], "LOCAL" [0x7] Region: id = 3126 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3127 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3128 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3129 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3130 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3131 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3132 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3133 start_va = 0xffd90000 end_va = 0x1000eefff entry_point = 0xffd90000 region_type = mapped_file name = "sppsvc.exe" filename = "\\Windows\\System32\\sppsvc.exe" (normalized: "c:\\windows\\system32\\sppsvc.exe") Region: id = 3134 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3135 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3136 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 3137 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 3138 start_va = 0x60000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3139 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3140 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3141 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3142 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3143 start_va = 0x50000 end_va = 0x51fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 3144 start_va = 0x160000 end_va = 0x1c6fff entry_point = 0x160000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3145 start_va = 0x250000 end_va = 0x250fff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 3146 start_va = 0x260000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 3147 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 3148 start_va = 0x370000 end_va = 0x4f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 3149 start_va = 0x500000 end_va = 0x680fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 3150 start_va = 0x690000 end_va = 0x74ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 3151 start_va = 0x750000 end_va = 0xb42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 3152 start_va = 0xb50000 end_va = 0xb50fff entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 3153 start_va = 0xb60000 end_va = 0xbdffff entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 3154 start_va = 0xd80000 end_va = 0xdfffff entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 3155 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3156 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3157 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3158 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3159 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3160 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3161 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3162 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3163 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3164 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3165 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3166 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3167 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3168 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3169 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 3170 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 3626 start_va = 0xc00000 end_va = 0xc7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 3627 start_va = 0xf30000 end_va = 0xfaffff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 3628 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3629 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3630 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Thread: id = 386 os_tid = 0x20c Thread: id = 387 os_tid = 0x63c Thread: id = 388 os_tid = 0x678 Thread: id = 389 os_tid = 0x128 Thread: id = 390 os_tid = 0x83c Thread: id = 439 os_tid = 0x8dc Thread: id = 479 os_tid = 0x904 Process: id = "30" image_name = "logonui.exe" filename = "c:\\windows\\system32\\logonui.exe" page_root = "0x5083d000" os_pid = "0x86c" os_integrity_level = "0x4000" os_privileges = "0x60b16000" monitor_reason = "rpc_server" parent_id = "7" os_parent_pid = "0x294" cmd_line = "\"LogonUI.exe\" /flags:0x0" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 3185 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3186 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3187 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3188 start_va = 0x40000 end_va = 0x41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3189 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3190 start_va = 0xc0000 end_va = 0xeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 3191 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3192 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 3193 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 3194 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3195 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3196 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3197 start_va = 0x1c0000 end_va = 0x1c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 3198 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3199 start_va = 0x1e0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 3200 start_va = 0x1f0000 end_va = 0x1f6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3201 start_va = 0x200000 end_va = 0x201fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 3202 start_va = 0x210000 end_va = 0x211fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 3203 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 3204 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 3205 start_va = 0x420000 end_va = 0x5a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 3206 start_va = 0x5b0000 end_va = 0x730fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 3207 start_va = 0x740000 end_va = 0x77ffff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 3208 start_va = 0x780000 end_va = 0x7fffff entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 3209 start_va = 0x800000 end_va = 0x8defff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 3210 start_va = 0x8e0000 end_va = 0x8e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 3211 start_va = 0x8f0000 end_va = 0x8f0fff entry_point = 0x0 region_type = private name = "private_0x00000000008f0000" filename = "" Region: id = 3212 start_va = 0x900000 end_va = 0x900fff entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 3213 start_va = 0x910000 end_va = 0x910fff entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 3214 start_va = 0x920000 end_va = 0x920fff entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 3215 start_va = 0x930000 end_va = 0x930fff entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 3216 start_va = 0x940000 end_va = 0x9bffff entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 3217 start_va = 0x9c0000 end_va = 0x9c0fff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 3218 start_va = 0x9d0000 end_va = 0x9d0fff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 3219 start_va = 0x9e0000 end_va = 0x9e0fff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 3220 start_va = 0x9f0000 end_va = 0x9f0fff entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 3221 start_va = 0xa00000 end_va = 0xa00fff entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 3222 start_va = 0xa10000 end_va = 0xa10fff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 3223 start_va = 0xa20000 end_va = 0xa20fff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 3224 start_va = 0xa30000 end_va = 0xa30fff entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 3225 start_va = 0xa40000 end_va = 0xa40fff entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 3226 start_va = 0xa50000 end_va = 0xa5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a50000" filename = "" Region: id = 3227 start_va = 0xa60000 end_va = 0xd2efff entry_point = 0xa60000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3228 start_va = 0xd30000 end_va = 0xd30fff entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 3229 start_va = 0xd40000 end_va = 0xd40fff entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 3230 start_va = 0xd50000 end_va = 0xd50fff entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 3231 start_va = 0xd60000 end_va = 0xd60fff entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 3232 start_va = 0xd70000 end_va = 0xd70fff entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 3233 start_va = 0xd80000 end_va = 0xd80fff entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 3234 start_va = 0xd90000 end_va = 0xd90fff entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 3235 start_va = 0xda0000 end_va = 0xda0fff entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 3236 start_va = 0xdb0000 end_va = 0xdb0fff entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 3237 start_va = 0xdc0000 end_va = 0xdc0fff entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 3238 start_va = 0xdd0000 end_va = 0xdd0fff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 3239 start_va = 0xde0000 end_va = 0xde0fff entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 3240 start_va = 0xdf0000 end_va = 0xdf0fff entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 3241 start_va = 0xe00000 end_va = 0xe00fff entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 3242 start_va = 0xe10000 end_va = 0xe8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 3243 start_va = 0xe90000 end_va = 0x1282fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 3244 start_va = 0x1290000 end_va = 0x138ffff entry_point = 0x0 region_type = private name = "private_0x0000000001290000" filename = "" Region: id = 3245 start_va = 0x1390000 end_va = 0x1390fff entry_point = 0x0 region_type = private name = "private_0x0000000001390000" filename = "" Region: id = 3246 start_va = 0x13a0000 end_va = 0x13a0fff entry_point = 0x0 region_type = private name = "private_0x00000000013a0000" filename = "" Region: id = 3247 start_va = 0x13b0000 end_va = 0x13b0fff entry_point = 0x0 region_type = private name = "private_0x00000000013b0000" filename = "" Region: id = 3248 start_va = 0x13c0000 end_va = 0x13c0fff entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 3249 start_va = 0x13d0000 end_va = 0x13d0fff entry_point = 0x0 region_type = private name = "private_0x00000000013d0000" filename = "" Region: id = 3250 start_va = 0x13e0000 end_va = 0x13e0fff entry_point = 0x0 region_type = private name = "private_0x00000000013e0000" filename = "" Region: id = 3251 start_va = 0x13f0000 end_va = 0x13f0fff entry_point = 0x0 region_type = private name = "private_0x00000000013f0000" filename = "" Region: id = 3252 start_va = 0x1400000 end_va = 0x1400fff entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 3253 start_va = 0x1410000 end_va = 0x1416fff entry_point = 0x0 region_type = private name = "private_0x0000000001410000" filename = "" Region: id = 3254 start_va = 0x1420000 end_va = 0x1429fff entry_point = 0x0 region_type = private name = "private_0x0000000001420000" filename = "" Region: id = 3255 start_va = 0x1430000 end_va = 0x1436fff entry_point = 0x0 region_type = private name = "private_0x0000000001430000" filename = "" Region: id = 3256 start_va = 0x1440000 end_va = 0x1463fff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 3257 start_va = 0x1470000 end_va = 0x1479fff entry_point = 0x0 region_type = private name = "private_0x0000000001470000" filename = "" Region: id = 3258 start_va = 0x1480000 end_va = 0x1486fff entry_point = 0x0 region_type = private name = "private_0x0000000001480000" filename = "" Region: id = 3259 start_va = 0x1490000 end_va = 0x1499fff entry_point = 0x0 region_type = private name = "private_0x0000000001490000" filename = "" Region: id = 3260 start_va = 0x14a0000 end_va = 0x14a6fff entry_point = 0x0 region_type = private name = "private_0x00000000014a0000" filename = "" Region: id = 3261 start_va = 0x14b0000 end_va = 0x14e7fff entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 3262 start_va = 0x14f0000 end_va = 0x14f9fff entry_point = 0x0 region_type = private name = "private_0x00000000014f0000" filename = "" Region: id = 3263 start_va = 0x1500000 end_va = 0x1500fff entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 3264 start_va = 0x1510000 end_va = 0x1510fff entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 3265 start_va = 0x1520000 end_va = 0x1520fff entry_point = 0x0 region_type = private name = "private_0x0000000001520000" filename = "" Region: id = 3266 start_va = 0x1530000 end_va = 0x1530fff entry_point = 0x0 region_type = private name = "private_0x0000000001530000" filename = "" Region: id = 3267 start_va = 0x1540000 end_va = 0x1540fff entry_point = 0x0 region_type = private name = "private_0x0000000001540000" filename = "" Region: id = 3268 start_va = 0x1550000 end_va = 0x1551fff entry_point = 0x0 region_type = private name = "private_0x0000000001550000" filename = "" Region: id = 3269 start_va = 0x1560000 end_va = 0x1560fff entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 3270 start_va = 0x1570000 end_va = 0x1571fff entry_point = 0x0 region_type = private name = "private_0x0000000001570000" filename = "" Region: id = 3271 start_va = 0x1580000 end_va = 0x1580fff entry_point = 0x0 region_type = private name = "private_0x0000000001580000" filename = "" Region: id = 3272 start_va = 0x1590000 end_va = 0x1591fff entry_point = 0x0 region_type = private name = "private_0x0000000001590000" filename = "" Region: id = 3273 start_va = 0x15a0000 end_va = 0x15a0fff entry_point = 0x0 region_type = private name = "private_0x00000000015a0000" filename = "" Region: id = 3274 start_va = 0x15b0000 end_va = 0x15b1fff entry_point = 0x0 region_type = private name = "private_0x00000000015b0000" filename = "" Region: id = 3275 start_va = 0x15c0000 end_va = 0x15c0fff entry_point = 0x0 region_type = private name = "private_0x00000000015c0000" filename = "" Region: id = 3276 start_va = 0x15d0000 end_va = 0x15d0fff entry_point = 0x0 region_type = private name = "private_0x00000000015d0000" filename = "" Region: id = 3277 start_va = 0x15e0000 end_va = 0x15e0fff entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 3278 start_va = 0x15f0000 end_va = 0x15f0fff entry_point = 0x0 region_type = private name = "private_0x00000000015f0000" filename = "" Region: id = 3279 start_va = 0x1600000 end_va = 0x1600fff entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 3280 start_va = 0x1610000 end_va = 0x1610fff entry_point = 0x0 region_type = private name = "private_0x0000000001610000" filename = "" Region: id = 3281 start_va = 0x1620000 end_va = 0x1620fff entry_point = 0x0 region_type = private name = "private_0x0000000001620000" filename = "" Region: id = 3282 start_va = 0x1630000 end_va = 0x1630fff entry_point = 0x0 region_type = private name = "private_0x0000000001630000" filename = "" Region: id = 3283 start_va = 0x1640000 end_va = 0x1640fff entry_point = 0x0 region_type = private name = "private_0x0000000001640000" filename = "" Region: id = 3284 start_va = 0x1650000 end_va = 0x1650fff entry_point = 0x0 region_type = private name = "private_0x0000000001650000" filename = "" Region: id = 3285 start_va = 0x1660000 end_va = 0x1660fff entry_point = 0x0 region_type = private name = "private_0x0000000001660000" filename = "" Region: id = 3286 start_va = 0x1670000 end_va = 0x1670fff entry_point = 0x0 region_type = private name = "private_0x0000000001670000" filename = "" Region: id = 3287 start_va = 0x1680000 end_va = 0x1680fff entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Region: id = 3288 start_va = 0x1690000 end_va = 0x1690fff entry_point = 0x0 region_type = private name = "private_0x0000000001690000" filename = "" Region: id = 3289 start_va = 0x16a0000 end_va = 0x16a0fff entry_point = 0x0 region_type = private name = "private_0x00000000016a0000" filename = "" Region: id = 3290 start_va = 0x16b0000 end_va = 0x16b0fff entry_point = 0x0 region_type = private name = "private_0x00000000016b0000" filename = "" Region: id = 3291 start_va = 0x16c0000 end_va = 0x16c0fff entry_point = 0x0 region_type = private name = "private_0x00000000016c0000" filename = "" Region: id = 3292 start_va = 0x16d0000 end_va = 0x16d0fff entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 3293 start_va = 0x16e0000 end_va = 0x17dffff entry_point = 0x0 region_type = private name = "private_0x00000000016e0000" filename = "" Region: id = 3294 start_va = 0x17e0000 end_va = 0x2b34fff entry_point = 0x17e0000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 3295 start_va = 0x2b40000 end_va = 0x2b40fff entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 3296 start_va = 0x2b50000 end_va = 0x2b50fff entry_point = 0x0 region_type = private name = "private_0x0000000002b50000" filename = "" Region: id = 3297 start_va = 0x2b60000 end_va = 0x2b71fff entry_point = 0x0 region_type = private name = "private_0x0000000002b60000" filename = "" Region: id = 3298 start_va = 0x2b80000 end_va = 0x2b81fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002b80000" filename = "" Region: id = 3299 start_va = 0x2b90000 end_va = 0x2b91fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002b90000" filename = "" Region: id = 3300 start_va = 0x2ba0000 end_va = 0x2c1ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ba0000" filename = "" Region: id = 3301 start_va = 0x2c20000 end_va = 0x2c21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002c20000" filename = "" Region: id = 3302 start_va = 0x2c30000 end_va = 0x2c30fff entry_point = 0x0 region_type = private name = "private_0x0000000002c30000" filename = "" Region: id = 3303 start_va = 0x2c40000 end_va = 0x2c40fff entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 3304 start_va = 0x2c50000 end_va = 0x2c50fff entry_point = 0x2c50000 region_type = mapped_file name = "msctf.dll.mui" filename = "\\Windows\\System32\\en-US\\msctf.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\msctf.dll.mui") Region: id = 3305 start_va = 0x2c60000 end_va = 0x2c60fff entry_point = 0x2c60000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 3306 start_va = 0x2ca0000 end_va = 0x2ca2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002ca0000" filename = "" Region: id = 3307 start_va = 0x2cb0000 end_va = 0x2cbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002cb0000" filename = "" Region: id = 3308 start_va = 0x2cc0000 end_va = 0x2d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002cc0000" filename = "" Region: id = 3309 start_va = 0x2df0000 end_va = 0x2e6ffff entry_point = 0x0 region_type = private name = "private_0x0000000002df0000" filename = "" Region: id = 3310 start_va = 0x2e70000 end_va = 0x2f2ffff entry_point = 0x2e70000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3311 start_va = 0x2f90000 end_va = 0x300ffff entry_point = 0x0 region_type = private name = "private_0x0000000002f90000" filename = "" Region: id = 3312 start_va = 0x30b0000 end_va = 0x312ffff entry_point = 0x0 region_type = private name = "private_0x00000000030b0000" filename = "" Region: id = 3313 start_va = 0x3560000 end_va = 0x365ffff entry_point = 0x0 region_type = private name = "private_0x0000000003560000" filename = "" Region: id = 3314 start_va = 0x3660000 end_va = 0x3661fff entry_point = 0x0 region_type = private name = "private_0x0000000003660000" filename = "" Region: id = 3315 start_va = 0x3670000 end_va = 0x3b61fff entry_point = 0x0 region_type = private name = "private_0x0000000003670000" filename = "" Region: id = 3316 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3317 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3318 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3319 start_va = 0x77a30000 end_va = 0x77a36fff entry_point = 0x77a30000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 3320 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3321 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3322 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3323 start_va = 0xffea0000 end_va = 0xffeaafff entry_point = 0xffea0000 region_type = mapped_file name = "logonui.exe" filename = "\\Windows\\System32\\LogonUI.exe" (normalized: "c:\\windows\\system32\\logonui.exe") Region: id = 3324 start_va = 0x7fef39f0000 end_va = 0x7fef3aa9fff entry_point = 0x7fef39f0000 region_type = mapped_file name = "uiautomationcore.dll" filename = "\\Windows\\System32\\UIAutomationCore.dll" (normalized: "c:\\windows\\system32\\uiautomationcore.dll") Region: id = 3325 start_va = 0x7fef3ab0000 end_va = 0x7fef3b17fff entry_point = 0x7fef3ab0000 region_type = mapped_file name = "rasplap.dll" filename = "\\Windows\\System32\\rasplap.dll" (normalized: "c:\\windows\\system32\\rasplap.dll") Region: id = 3326 start_va = 0x7fef3b20000 end_va = 0x7fef3b53fff entry_point = 0x7fef3b20000 region_type = mapped_file name = "credui.dll" filename = "\\Windows\\System32\\credui.dll" (normalized: "c:\\windows\\system32\\credui.dll") Region: id = 3327 start_va = 0x7fef3b70000 end_va = 0x7fef3b92fff entry_point = 0x7fef3b70000 region_type = mapped_file name = "certcredprovider.dll" filename = "\\Windows\\System32\\certCredProvider.dll" (normalized: "c:\\windows\\system32\\certcredprovider.dll") Region: id = 3328 start_va = 0x7fef48f0000 end_va = 0x7fef48fdfff entry_point = 0x7fef48f0000 region_type = mapped_file name = "vaultcli.dll" filename = "\\Windows\\System32\\vaultcli.dll" (normalized: "c:\\windows\\system32\\vaultcli.dll") Region: id = 3329 start_va = 0x7fef4900000 end_va = 0x7fef4931fff entry_point = 0x7fef4900000 region_type = mapped_file name = "biocredprov.dll" filename = "\\Windows\\System32\\BioCredProv.dll" (normalized: "c:\\windows\\system32\\biocredprov.dll") Region: id = 3330 start_va = 0x7fef4940000 end_va = 0x7fef4971fff entry_point = 0x7fef4940000 region_type = mapped_file name = "smartcardcredentialprovider.dll" filename = "\\Windows\\System32\\SmartcardCredentialProvider.dll" (normalized: "c:\\windows\\system32\\smartcardcredentialprovider.dll") Region: id = 3331 start_va = 0x7fef4980000 end_va = 0x7fef4997fff entry_point = 0x7fef4980000 region_type = mapped_file name = "vaultcredprovider.dll" filename = "\\Windows\\System32\\VaultCredProvider.dll" (normalized: "c:\\windows\\system32\\vaultcredprovider.dll") Region: id = 3332 start_va = 0x7fef49a0000 end_va = 0x7fef49b6fff entry_point = 0x7fef49a0000 region_type = mapped_file name = "winbio.dll" filename = "\\Windows\\System32\\winbio.dll" (normalized: "c:\\windows\\system32\\winbio.dll") Region: id = 3333 start_va = 0x7fef4c00000 end_va = 0x7fef4c07fff entry_point = 0x7fef4c00000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 3334 start_va = 0x7fef54a0000 end_va = 0x7fef54f3fff entry_point = 0x7fef54a0000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 3335 start_va = 0x7fef6310000 end_va = 0x7fef6371fff entry_point = 0x7fef6310000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 3336 start_va = 0x7fefae70000 end_va = 0x7fefae8bfff entry_point = 0x7fefae70000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 3337 start_va = 0x7fefb740000 end_va = 0x7fefb750fff entry_point = 0x7fefb740000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 3338 start_va = 0x7fefb890000 end_va = 0x7fefb8a3fff entry_point = 0x7fefb890000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 3339 start_va = 0x7fefb8b0000 end_va = 0x7fefb8c4fff entry_point = 0x7fefb8b0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3340 start_va = 0x7fefb8d0000 end_va = 0x7fefb8dbfff entry_point = 0x7fefb8d0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3341 start_va = 0x7fefb8e0000 end_va = 0x7fefb8f5fff entry_point = 0x7fefb8e0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3342 start_va = 0x7fefba10000 end_va = 0x7fefba20fff entry_point = 0x7fefba10000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3343 start_va = 0x7fefba40000 end_va = 0x7fefbb69fff entry_point = 0x7fefba40000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 3344 start_va = 0x7fefbb70000 end_va = 0x7fefbba4fff entry_point = 0x7fefbb70000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 3345 start_va = 0x7fefbbb0000 end_va = 0x7fefbbc7fff entry_point = 0x7fefbbb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 3346 start_va = 0x7fefbbd0000 end_va = 0x7fefbbdafff entry_point = 0x7fefbbd0000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 3347 start_va = 0x7fefbbe0000 end_va = 0x7fefbc1afff entry_point = 0x7fefbbe0000 region_type = mapped_file name = "sndvolsso.dll" filename = "\\Windows\\System32\\SndVolSSO.dll" (normalized: "c:\\windows\\system32\\sndvolsso.dll") Region: id = 3348 start_va = 0x7fefbc20000 end_va = 0x7fefbc62fff entry_point = 0x7fefbc20000 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 3349 start_va = 0x7fefbc70000 end_va = 0x7fefbd61fff entry_point = 0x7fefbc70000 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\System32\\dui70.dll" (normalized: "c:\\windows\\system32\\dui70.dll") Region: id = 3350 start_va = 0x7fefbd70000 end_va = 0x7fefbf84fff entry_point = 0x7fefbd70000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll") Region: id = 3351 start_va = 0x7fefbf90000 end_va = 0x7fefbfe5fff entry_point = 0x7fefbf90000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 3352 start_va = 0x7fefc040000 end_va = 0x7fefc233fff entry_point = 0x7fefc040000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 3353 start_va = 0x7fefc240000 end_va = 0x7fefc348fff entry_point = 0x7fefc240000 region_type = mapped_file name = "cryptui.dll" filename = "\\Windows\\System32\\cryptui.dll" (normalized: "c:\\windows\\system32\\cryptui.dll") Region: id = 3354 start_va = 0x7fefc350000 end_va = 0x7fefc529fff entry_point = 0x7fefc350000 region_type = mapped_file name = "authui.dll" filename = "\\Windows\\System32\\authui.dll" (normalized: "c:\\windows\\system32\\authui.dll") Region: id = 3355 start_va = 0x7fefc540000 end_va = 0x7fefc66bfff entry_point = 0x7fefc540000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3356 start_va = 0x7fefc670000 end_va = 0x7fefc6bafff entry_point = 0x7fefc670000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 3357 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3358 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3359 start_va = 0x7fefd5a0000 end_va = 0x7fefd5c2fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3360 start_va = 0x7fefd640000 end_va = 0x7fefd64afff entry_point = 0x7fefd640000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3361 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3362 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3363 start_va = 0x7fefd750000 end_va = 0x7fefd78cfff entry_point = 0x7fefd750000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3364 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3365 start_va = 0x7fefd850000 end_va = 0x7fefd85efff entry_point = 0x7fefd850000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3366 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3367 start_va = 0x7fefd970000 end_va = 0x7fefd989fff entry_point = 0x7fefd970000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3368 start_va = 0x7fefd990000 end_va = 0x7fefdaf6fff entry_point = 0x7fefd990000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3369 start_va = 0x7fefdb00000 end_va = 0x7fefdb35fff entry_point = 0x7fefdb00000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3370 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3371 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3372 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3373 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3374 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3375 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3376 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3377 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3378 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3379 start_va = 0x7feff300000 end_va = 0x7feff4d6fff entry_point = 0x7feff300000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 3380 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3381 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3382 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3383 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3384 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3385 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3386 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3387 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 3388 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 3389 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3390 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 3391 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 3392 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 3393 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 3394 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 3395 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3396 start_va = 0x3260000 end_va = 0x32dffff entry_point = 0x0 region_type = private name = "private_0x0000000003260000" filename = "" Region: id = 3397 start_va = 0x7fefd6b0000 end_va = 0x7fefd740fff entry_point = 0x7fefd6b0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 3398 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Thread: id = 395 os_tid = 0x850 Thread: id = 396 os_tid = 0x854 Thread: id = 397 os_tid = 0x858 Thread: id = 398 os_tid = 0x85c Thread: id = 399 os_tid = 0x860 Thread: id = 400 os_tid = 0x864 Thread: id = 401 os_tid = 0x30c Thread: id = 402 os_tid = 0x874 Thread: id = 403 os_tid = 0x698 Thread: id = 476 os_tid = 0x910 Process: id = "31" image_name = "logonui.exe" filename = "c:\\windows\\system32\\logonui.exe" page_root = "0x76dd0000" os_pid = "0x6f8" os_integrity_level = "0x4000" os_privileges = "0x860b14080" monitor_reason = "rpc_server" parent_id = "7" os_parent_pid = "0x294" cmd_line = "\"LogonUI.exe\" /flags:0x1" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 3417 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3418 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3419 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3420 start_va = 0x40000 end_va = 0x41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3421 start_va = 0x50000 end_va = 0x50fff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3422 start_va = 0x60000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3423 start_va = 0x160000 end_va = 0x18ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 3424 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3425 start_va = 0x1a0000 end_va = 0x1a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 3426 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 3427 start_va = 0x230000 end_va = 0x296fff entry_point = 0x230000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3428 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 3429 start_va = 0x3a0000 end_va = 0x3a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 3430 start_va = 0x3b0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 3431 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 3432 start_va = 0x3d0000 end_va = 0x3d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 3433 start_va = 0x3e0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 3434 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3435 start_va = 0x400000 end_va = 0x587fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 3436 start_va = 0x590000 end_va = 0x710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 3437 start_va = 0x720000 end_va = 0x75ffff entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 3438 start_va = 0x760000 end_va = 0x7dffff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 3439 start_va = 0x7e0000 end_va = 0x7e6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 3440 start_va = 0x7f0000 end_va = 0x7f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 3441 start_va = 0x800000 end_va = 0x801fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 3442 start_va = 0x810000 end_va = 0x810fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 3443 start_va = 0x820000 end_va = 0x820fff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 3444 start_va = 0x830000 end_va = 0x830fff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 3445 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 3446 start_va = 0x850000 end_va = 0x850fff entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 3447 start_va = 0x860000 end_va = 0x860fff entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 3448 start_va = 0x870000 end_va = 0x870fff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 3449 start_va = 0x880000 end_va = 0x880fff entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 3450 start_va = 0x890000 end_va = 0x890fff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 3451 start_va = 0x8a0000 end_va = 0x91ffff entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 3452 start_va = 0x920000 end_va = 0x920fff entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 3453 start_va = 0x930000 end_va = 0x930fff entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 3454 start_va = 0x940000 end_va = 0x940fff entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 3455 start_va = 0x950000 end_va = 0x950fff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 3456 start_va = 0x960000 end_va = 0x960fff entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 3457 start_va = 0x970000 end_va = 0x970fff entry_point = 0x0 region_type = private name = "private_0x0000000000970000" filename = "" Region: id = 3458 start_va = 0x980000 end_va = 0x980fff entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 3459 start_va = 0x990000 end_va = 0x990fff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 3460 start_va = 0x9a0000 end_va = 0x9a0fff entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 3461 start_va = 0x9b0000 end_va = 0x9b0fff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 3462 start_va = 0x9c0000 end_va = 0x9c0fff entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 3463 start_va = 0x9d0000 end_va = 0xa4ffff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 3464 start_va = 0xa50000 end_va = 0xd1efff entry_point = 0xa50000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3465 start_va = 0xd20000 end_va = 0x1112fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d20000" filename = "" Region: id = 3466 start_va = 0x1120000 end_va = 0x121ffff entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 3467 start_va = 0x1220000 end_va = 0x1220fff entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 3468 start_va = 0x1230000 end_va = 0x1230fff entry_point = 0x0 region_type = private name = "private_0x0000000001230000" filename = "" Region: id = 3469 start_va = 0x1240000 end_va = 0x1240fff entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 3470 start_va = 0x1250000 end_va = 0x1250fff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 3471 start_va = 0x1260000 end_va = 0x1260fff entry_point = 0x0 region_type = private name = "private_0x0000000001260000" filename = "" Region: id = 3472 start_va = 0x1270000 end_va = 0x1270fff entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 3473 start_va = 0x1280000 end_va = 0x1280fff entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 3474 start_va = 0x1290000 end_va = 0x1290fff entry_point = 0x0 region_type = private name = "private_0x0000000001290000" filename = "" Region: id = 3475 start_va = 0x12a0000 end_va = 0x12a0fff entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 3476 start_va = 0x12b0000 end_va = 0x12b0fff entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 3477 start_va = 0x12c0000 end_va = 0x12c0fff entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 3478 start_va = 0x12d0000 end_va = 0x12d0fff entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 3479 start_va = 0x12e0000 end_va = 0x12e0fff entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 3480 start_va = 0x12f0000 end_va = 0x12f0fff entry_point = 0x0 region_type = private name = "private_0x00000000012f0000" filename = "" Region: id = 3481 start_va = 0x1300000 end_va = 0x1300fff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 3482 start_va = 0x1310000 end_va = 0x1310fff entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 3483 start_va = 0x1320000 end_va = 0x1320fff entry_point = 0x0 region_type = private name = "private_0x0000000001320000" filename = "" Region: id = 3484 start_va = 0x1330000 end_va = 0x1336fff entry_point = 0x0 region_type = private name = "private_0x0000000001330000" filename = "" Region: id = 3485 start_va = 0x1340000 end_va = 0x1349fff entry_point = 0x0 region_type = private name = "private_0x0000000001340000" filename = "" Region: id = 3486 start_va = 0x1350000 end_va = 0x1356fff entry_point = 0x0 region_type = private name = "private_0x0000000001350000" filename = "" Region: id = 3487 start_va = 0x1360000 end_va = 0x1383fff entry_point = 0x0 region_type = private name = "private_0x0000000001360000" filename = "" Region: id = 3488 start_va = 0x1390000 end_va = 0x1399fff entry_point = 0x0 region_type = private name = "private_0x0000000001390000" filename = "" Region: id = 3489 start_va = 0x13a0000 end_va = 0x13a6fff entry_point = 0x0 region_type = private name = "private_0x00000000013a0000" filename = "" Region: id = 3490 start_va = 0x13b0000 end_va = 0x13b9fff entry_point = 0x0 region_type = private name = "private_0x00000000013b0000" filename = "" Region: id = 3491 start_va = 0x13c0000 end_va = 0x13c6fff entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 3492 start_va = 0x13d0000 end_va = 0x1407fff entry_point = 0x0 region_type = private name = "private_0x00000000013d0000" filename = "" Region: id = 3493 start_va = 0x1410000 end_va = 0x1419fff entry_point = 0x0 region_type = private name = "private_0x0000000001410000" filename = "" Region: id = 3494 start_va = 0x1420000 end_va = 0x1420fff entry_point = 0x0 region_type = private name = "private_0x0000000001420000" filename = "" Region: id = 3495 start_va = 0x1430000 end_va = 0x1430fff entry_point = 0x0 region_type = private name = "private_0x0000000001430000" filename = "" Region: id = 3496 start_va = 0x1440000 end_va = 0x1440fff entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 3497 start_va = 0x1450000 end_va = 0x1450fff entry_point = 0x0 region_type = private name = "private_0x0000000001450000" filename = "" Region: id = 3498 start_va = 0x1460000 end_va = 0x1460fff entry_point = 0x0 region_type = private name = "private_0x0000000001460000" filename = "" Region: id = 3499 start_va = 0x1470000 end_va = 0x1471fff entry_point = 0x0 region_type = private name = "private_0x0000000001470000" filename = "" Region: id = 3500 start_va = 0x1480000 end_va = 0x1480fff entry_point = 0x0 region_type = private name = "private_0x0000000001480000" filename = "" Region: id = 3501 start_va = 0x1490000 end_va = 0x1491fff entry_point = 0x0 region_type = private name = "private_0x0000000001490000" filename = "" Region: id = 3502 start_va = 0x14a0000 end_va = 0x14a0fff entry_point = 0x0 region_type = private name = "private_0x00000000014a0000" filename = "" Region: id = 3503 start_va = 0x14b0000 end_va = 0x14b1fff entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 3504 start_va = 0x14c0000 end_va = 0x14c0fff entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 3505 start_va = 0x14d0000 end_va = 0x14d1fff entry_point = 0x0 region_type = private name = "private_0x00000000014d0000" filename = "" Region: id = 3506 start_va = 0x14e0000 end_va = 0x14e0fff entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 3507 start_va = 0x14f0000 end_va = 0x14f0fff entry_point = 0x0 region_type = private name = "private_0x00000000014f0000" filename = "" Region: id = 3508 start_va = 0x1500000 end_va = 0x1500fff entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 3509 start_va = 0x1510000 end_va = 0x1510fff entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 3510 start_va = 0x1520000 end_va = 0x1520fff entry_point = 0x0 region_type = private name = "private_0x0000000001520000" filename = "" Region: id = 3511 start_va = 0x1530000 end_va = 0x1530fff entry_point = 0x0 region_type = private name = "private_0x0000000001530000" filename = "" Region: id = 3512 start_va = 0x1540000 end_va = 0x1540fff entry_point = 0x0 region_type = private name = "private_0x0000000001540000" filename = "" Region: id = 3513 start_va = 0x1550000 end_va = 0x1550fff entry_point = 0x0 region_type = private name = "private_0x0000000001550000" filename = "" Region: id = 3514 start_va = 0x1560000 end_va = 0x1560fff entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 3515 start_va = 0x1570000 end_va = 0x1570fff entry_point = 0x0 region_type = private name = "private_0x0000000001570000" filename = "" Region: id = 3516 start_va = 0x1580000 end_va = 0x1580fff entry_point = 0x0 region_type = private name = "private_0x0000000001580000" filename = "" Region: id = 3517 start_va = 0x1590000 end_va = 0x1590fff entry_point = 0x0 region_type = private name = "private_0x0000000001590000" filename = "" Region: id = 3518 start_va = 0x15a0000 end_va = 0x15a0fff entry_point = 0x0 region_type = private name = "private_0x00000000015a0000" filename = "" Region: id = 3519 start_va = 0x15b0000 end_va = 0x15b0fff entry_point = 0x0 region_type = private name = "private_0x00000000015b0000" filename = "" Region: id = 3520 start_va = 0x15c0000 end_va = 0x15c0fff entry_point = 0x0 region_type = private name = "private_0x00000000015c0000" filename = "" Region: id = 3521 start_va = 0x15d0000 end_va = 0x15d0fff entry_point = 0x0 region_type = private name = "private_0x00000000015d0000" filename = "" Region: id = 3522 start_va = 0x15e0000 end_va = 0x15e0fff entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 3523 start_va = 0x15f0000 end_va = 0x15f0fff entry_point = 0x0 region_type = private name = "private_0x00000000015f0000" filename = "" Region: id = 3524 start_va = 0x1600000 end_va = 0x16fffff entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 3525 start_va = 0x1700000 end_va = 0x2a54fff entry_point = 0x1700000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 3526 start_va = 0x2a60000 end_va = 0x2a60fff entry_point = 0x0 region_type = private name = "private_0x0000000002a60000" filename = "" Region: id = 3527 start_va = 0x2a70000 end_va = 0x2a70fff entry_point = 0x0 region_type = private name = "private_0x0000000002a70000" filename = "" Region: id = 3528 start_va = 0x2a80000 end_va = 0x2a91fff entry_point = 0x0 region_type = private name = "private_0x0000000002a80000" filename = "" Region: id = 3529 start_va = 0x2aa0000 end_va = 0x2aa1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002aa0000" filename = "" Region: id = 3530 start_va = 0x2ab0000 end_va = 0x2ab1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002ab0000" filename = "" Region: id = 3531 start_va = 0x2ac0000 end_va = 0x2ac2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002ac0000" filename = "" Region: id = 3532 start_va = 0x2ad0000 end_va = 0x2adffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002ad0000" filename = "" Region: id = 3533 start_va = 0x2ae0000 end_va = 0x2ae1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002ae0000" filename = "" Region: id = 3534 start_va = 0x2af0000 end_va = 0x2af0fff entry_point = 0x0 region_type = private name = "private_0x0000000002af0000" filename = "" Region: id = 3535 start_va = 0x2b00000 end_va = 0x2b00fff entry_point = 0x2b00000 region_type = mapped_file name = "msctf.dll.mui" filename = "\\Windows\\System32\\en-US\\msctf.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\msctf.dll.mui") Region: id = 3536 start_va = 0x2b10000 end_va = 0x2b10fff entry_point = 0x2b10000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 3537 start_va = 0x2b40000 end_va = 0x2bbffff entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 3538 start_va = 0x2bc0000 end_va = 0x2c7ffff entry_point = 0x2bc0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3539 start_va = 0x2d80000 end_va = 0x307ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d80000" filename = "" Region: id = 3540 start_va = 0x3080000 end_va = 0x3080fff entry_point = 0x0 region_type = private name = "private_0x0000000003080000" filename = "" Region: id = 3541 start_va = 0x30d0000 end_va = 0x314ffff entry_point = 0x0 region_type = private name = "private_0x00000000030d0000" filename = "" Region: id = 3542 start_va = 0x3250000 end_va = 0x32cffff entry_point = 0x0 region_type = private name = "private_0x0000000003250000" filename = "" Region: id = 3543 start_va = 0x3370000 end_va = 0x33effff entry_point = 0x0 region_type = private name = "private_0x0000000003370000" filename = "" Region: id = 3544 start_va = 0x3420000 end_va = 0x349ffff entry_point = 0x0 region_type = private name = "private_0x0000000003420000" filename = "" Region: id = 3545 start_va = 0x36a0000 end_va = 0x379ffff entry_point = 0x0 region_type = private name = "private_0x00000000036a0000" filename = "" Region: id = 3546 start_va = 0x77640000 end_va = 0x77739fff entry_point = 0x77640000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3547 start_va = 0x77740000 end_va = 0x7785efff entry_point = 0x77740000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3548 start_va = 0x77860000 end_va = 0x77a08fff entry_point = 0x77860000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3549 start_va = 0x77a30000 end_va = 0x77a36fff entry_point = 0x77a30000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 3550 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3551 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3552 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3553 start_va = 0xffea0000 end_va = 0xffeaafff entry_point = 0xffea0000 region_type = mapped_file name = "logonui.exe" filename = "\\Windows\\System32\\LogonUI.exe" (normalized: "c:\\windows\\system32\\logonui.exe") Region: id = 3554 start_va = 0x7fef39f0000 end_va = 0x7fef3aa9fff entry_point = 0x7fef39f0000 region_type = mapped_file name = "uiautomationcore.dll" filename = "\\Windows\\System32\\UIAutomationCore.dll" (normalized: "c:\\windows\\system32\\uiautomationcore.dll") Region: id = 3555 start_va = 0x7fef3ab0000 end_va = 0x7fef3b17fff entry_point = 0x7fef3ab0000 region_type = mapped_file name = "rasplap.dll" filename = "\\Windows\\System32\\rasplap.dll" (normalized: "c:\\windows\\system32\\rasplap.dll") Region: id = 3556 start_va = 0x7fef3b20000 end_va = 0x7fef3b53fff entry_point = 0x7fef3b20000 region_type = mapped_file name = "credui.dll" filename = "\\Windows\\System32\\credui.dll" (normalized: "c:\\windows\\system32\\credui.dll") Region: id = 3557 start_va = 0x7fef3b70000 end_va = 0x7fef3b92fff entry_point = 0x7fef3b70000 region_type = mapped_file name = "certcredprovider.dll" filename = "\\Windows\\System32\\certCredProvider.dll" (normalized: "c:\\windows\\system32\\certcredprovider.dll") Region: id = 3558 start_va = 0x7fef48f0000 end_va = 0x7fef48fdfff entry_point = 0x7fef48f0000 region_type = mapped_file name = "vaultcli.dll" filename = "\\Windows\\System32\\vaultcli.dll" (normalized: "c:\\windows\\system32\\vaultcli.dll") Region: id = 3559 start_va = 0x7fef4900000 end_va = 0x7fef4931fff entry_point = 0x7fef4900000 region_type = mapped_file name = "biocredprov.dll" filename = "\\Windows\\System32\\BioCredProv.dll" (normalized: "c:\\windows\\system32\\biocredprov.dll") Region: id = 3560 start_va = 0x7fef4940000 end_va = 0x7fef4971fff entry_point = 0x7fef4940000 region_type = mapped_file name = "smartcardcredentialprovider.dll" filename = "\\Windows\\System32\\SmartcardCredentialProvider.dll" (normalized: "c:\\windows\\system32\\smartcardcredentialprovider.dll") Region: id = 3561 start_va = 0x7fef4980000 end_va = 0x7fef4997fff entry_point = 0x7fef4980000 region_type = mapped_file name = "vaultcredprovider.dll" filename = "\\Windows\\System32\\VaultCredProvider.dll" (normalized: "c:\\windows\\system32\\vaultcredprovider.dll") Region: id = 3562 start_va = 0x7fef49a0000 end_va = 0x7fef49b6fff entry_point = 0x7fef49a0000 region_type = mapped_file name = "winbio.dll" filename = "\\Windows\\System32\\winbio.dll" (normalized: "c:\\windows\\system32\\winbio.dll") Region: id = 3563 start_va = 0x7fef4c00000 end_va = 0x7fef4c07fff entry_point = 0x7fef4c00000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 3564 start_va = 0x7fef54a0000 end_va = 0x7fef54f3fff entry_point = 0x7fef54a0000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 3565 start_va = 0x7fef6310000 end_va = 0x7fef6371fff entry_point = 0x7fef6310000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 3566 start_va = 0x7fefae70000 end_va = 0x7fefae8bfff entry_point = 0x7fefae70000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 3567 start_va = 0x7fefb740000 end_va = 0x7fefb750fff entry_point = 0x7fefb740000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 3568 start_va = 0x7fefb890000 end_va = 0x7fefb8a3fff entry_point = 0x7fefb890000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 3569 start_va = 0x7fefb8b0000 end_va = 0x7fefb8c4fff entry_point = 0x7fefb8b0000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3570 start_va = 0x7fefb8d0000 end_va = 0x7fefb8dbfff entry_point = 0x7fefb8d0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3571 start_va = 0x7fefb8e0000 end_va = 0x7fefb8f5fff entry_point = 0x7fefb8e0000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3572 start_va = 0x7fefba10000 end_va = 0x7fefba20fff entry_point = 0x7fefba10000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3573 start_va = 0x7fefba40000 end_va = 0x7fefbb69fff entry_point = 0x7fefba40000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 3574 start_va = 0x7fefbb70000 end_va = 0x7fefbba4fff entry_point = 0x7fefbb70000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 3575 start_va = 0x7fefbbb0000 end_va = 0x7fefbbc7fff entry_point = 0x7fefbbb0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 3576 start_va = 0x7fefbbd0000 end_va = 0x7fefbbdafff entry_point = 0x7fefbbd0000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 3577 start_va = 0x7fefbbe0000 end_va = 0x7fefbc1afff entry_point = 0x7fefbbe0000 region_type = mapped_file name = "sndvolsso.dll" filename = "\\Windows\\System32\\SndVolSSO.dll" (normalized: "c:\\windows\\system32\\sndvolsso.dll") Region: id = 3578 start_va = 0x7fefbc20000 end_va = 0x7fefbc62fff entry_point = 0x7fefbc20000 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 3579 start_va = 0x7fefbc70000 end_va = 0x7fefbd61fff entry_point = 0x7fefbc70000 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\System32\\dui70.dll" (normalized: "c:\\windows\\system32\\dui70.dll") Region: id = 3580 start_va = 0x7fefbd70000 end_va = 0x7fefbf84fff entry_point = 0x7fefbd70000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll") Region: id = 3581 start_va = 0x7fefbf90000 end_va = 0x7fefbfe5fff entry_point = 0x7fefbf90000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 3582 start_va = 0x7fefc040000 end_va = 0x7fefc233fff entry_point = 0x7fefc040000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 3583 start_va = 0x7fefc240000 end_va = 0x7fefc348fff entry_point = 0x7fefc240000 region_type = mapped_file name = "cryptui.dll" filename = "\\Windows\\System32\\cryptui.dll" (normalized: "c:\\windows\\system32\\cryptui.dll") Region: id = 3584 start_va = 0x7fefc350000 end_va = 0x7fefc529fff entry_point = 0x7fefc350000 region_type = mapped_file name = "authui.dll" filename = "\\Windows\\System32\\authui.dll" (normalized: "c:\\windows\\system32\\authui.dll") Region: id = 3585 start_va = 0x7fefc540000 end_va = 0x7fefc66bfff entry_point = 0x7fefc540000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3586 start_va = 0x7fefc670000 end_va = 0x7fefc6bafff entry_point = 0x7fefc670000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 3587 start_va = 0x7fefcda0000 end_va = 0x7fefcde6fff entry_point = 0x7fefcda0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3588 start_va = 0x7fefd0a0000 end_va = 0x7fefd0b6fff entry_point = 0x7fefd0a0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3589 start_va = 0x7fefd5a0000 end_va = 0x7fefd5c2fff entry_point = 0x7fefd5a0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3590 start_va = 0x7fefd640000 end_va = 0x7fefd64afff entry_point = 0x7fefd640000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3591 start_va = 0x7fefd670000 end_va = 0x7fefd694fff entry_point = 0x7fefd670000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3592 start_va = 0x7fefd6a0000 end_va = 0x7fefd6aefff entry_point = 0x7fefd6a0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3593 start_va = 0x7fefd750000 end_va = 0x7fefd78cfff entry_point = 0x7fefd750000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3594 start_va = 0x7fefd790000 end_va = 0x7fefd7a3fff entry_point = 0x7fefd790000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3595 start_va = 0x7fefd850000 end_va = 0x7fefd85efff entry_point = 0x7fefd850000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3596 start_va = 0x7fefd900000 end_va = 0x7fefd96afff entry_point = 0x7fefd900000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3597 start_va = 0x7fefd970000 end_va = 0x7fefd989fff entry_point = 0x7fefd970000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3598 start_va = 0x7fefd990000 end_va = 0x7fefdaf6fff entry_point = 0x7fefd990000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3599 start_va = 0x7fefdb00000 end_va = 0x7fefdb35fff entry_point = 0x7fefdb00000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3600 start_va = 0x7fefdb80000 end_va = 0x7fefdc48fff entry_point = 0x7fefdb80000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3601 start_va = 0x7fefdc50000 end_va = 0x7fefdd26fff entry_point = 0x7fefdc50000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3602 start_va = 0x7fefdd30000 end_va = 0x7fefdd3dfff entry_point = 0x7fefdd30000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3603 start_va = 0x7fefdd40000 end_va = 0x7fefdd6dfff entry_point = 0x7fefdd40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3604 start_va = 0x7fefdef0000 end_va = 0x7fefdef7fff entry_point = 0x7fefdef0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3605 start_va = 0x7fefed10000 end_va = 0x7fefed76fff entry_point = 0x7fefed10000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3606 start_va = 0x7fefed80000 end_va = 0x7fefee88fff entry_point = 0x7fefed80000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3607 start_va = 0x7feff0f0000 end_va = 0x7feff1cafff entry_point = 0x7feff0f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3608 start_va = 0x7feff1d0000 end_va = 0x7feff2fcfff entry_point = 0x7feff1d0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3609 start_va = 0x7feff300000 end_va = 0x7feff4d6fff entry_point = 0x7feff300000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 3610 start_va = 0x7feff4e0000 end_va = 0x7feff550fff entry_point = 0x7feff4e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3611 start_va = 0x7feff560000 end_va = 0x7feff5f8fff entry_point = 0x7feff560000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3612 start_va = 0x7feff850000 end_va = 0x7feff86efff entry_point = 0x7feff850000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3613 start_va = 0x7feff870000 end_va = 0x7feffa72fff entry_point = 0x7feff870000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3614 start_va = 0x7feffa80000 end_va = 0x7feffb1efff entry_point = 0x7feffa80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3615 start_va = 0x7feffb20000 end_va = 0x7feffb6cfff entry_point = 0x7feffb20000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3616 start_va = 0x7feffb80000 end_va = 0x7feffb80fff entry_point = 0x7feffb80000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3617 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 3618 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 3619 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3620 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 3621 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 3622 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 3623 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 3624 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 3625 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 415 os_tid = 0x5a4 Thread: id = 416 os_tid = 0x210 Thread: id = 417 os_tid = 0x6dc Thread: id = 418 os_tid = 0x248 Thread: id = 419 os_tid = 0x5fc Thread: id = 420 os_tid = 0x64 Thread: id = 421 os_tid = 0x54c Thread: id = 422 os_tid = 0x70c Thread: id = 423 os_tid = 0x530 Thread: id = 475 os_tid = 0x940 Process: id = "32" image_name = "System" filename = "" page_root = "0x187000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "kernel_analysis" parent_id = "0" os_parent_pid = "0x0" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 3707 start_va = 0x10000 end_va = 0x32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3708 start_va = 0x778d0000 end_va = 0x77a78fff entry_point = 0x778d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3709 start_va = 0x77ab0000 end_va = 0x77c2ffff entry_point = 0x77ab0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3710 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Thread: id = 481 os_tid = 0x8 Thread: id = 482 os_tid = 0x5c Thread: id = 483 os_tid = 0x24 Thread: id = 484 os_tid = 0x9c Thread: id = 485 os_tid = 0x78 Thread: id = 486 os_tid = 0xc0 Thread: id = 487 os_tid = 0x28 Thread: id = 488 os_tid = 0x40 [0233.282] ExAllocatePoolWithTag (PoolType=0x0, NumberOfBytes=0x1d2ab, Tag=0x616d6443) returned 0xfffffa8001a17000 [0233.283] KeSetTimer (in: Timer=0xfffffa800194fa28, DueTime=0xffffffffb5a0c861, Dpc=0xfffffa800194fa68 | out: Timer=0xfffffa800194fa28) returned 0 Thread: id = 489 os_tid = 0x3c Thread: id = 490 os_tid = 0x38 Thread: id = 491 os_tid = 0x34 [0221.511] ExAllocatePoolWithTag (PoolType=0x0, NumberOfBytes=0x1ccb5, Tag=0x784d6452) returned 0xfffffa80019fa000 Thread: id = 492 os_tid = 0x30 Thread: id = 493 os_tid = 0xc4 Thread: id = 494 os_tid = 0xcc Thread: id = 495 os_tid = 0x48 Thread: id = 496 os_tid = 0xd0 Thread: id = 497 os_tid = 0xb8 Thread: id = 498 os_tid = 0xd4 Thread: id = 499 os_tid = 0xd8 Thread: id = 500 os_tid = 0xdc Thread: id = 501 os_tid = 0xe8 Thread: id = 502 os_tid = 0xec Thread: id = 503 os_tid = 0x64 Thread: id = 504 os_tid = 0x2c Thread: id = 505 os_tid = 0xfc Thread: id = 506 os_tid = 0x104 Thread: id = 507 os_tid = 0x114 Thread: id = 508 os_tid = 0x108 Thread: id = 509 os_tid = 0x4c Thread: id = 510 os_tid = 0x10c Thread: id = 511 os_tid = 0x12c Thread: id = 512 os_tid = 0x130 Thread: id = 513 os_tid = 0x134 Thread: id = 514 os_tid = 0x138 Thread: id = 515 os_tid = 0x174 Thread: id = 516 os_tid = 0x90 Thread: id = 517 os_tid = 0x100 Thread: id = 518 os_tid = 0xb0 Thread: id = 519 os_tid = 0x74 Thread: id = 520 os_tid = 0x98 Thread: id = 521 os_tid = 0x268 Thread: id = 522 os_tid = 0x2e4 Thread: id = 523 os_tid = 0x84 Thread: id = 524 os_tid = 0x68 Thread: id = 525 os_tid = 0x8c Thread: id = 526 os_tid = 0x80 Thread: id = 527 os_tid = 0x88 Thread: id = 528 os_tid = 0x3ac Thread: id = 529 os_tid = 0x440 Thread: id = 530 os_tid = 0x464 Thread: id = 531 os_tid = 0x94 Thread: id = 532 os_tid = 0x56c Thread: id = 533 os_tid = 0x5b0 Thread: id = 534 os_tid = 0x5c4 Thread: id = 535 os_tid = 0x5c8 Thread: id = 537 os_tid = 0x634 Thread: id = 538 os_tid = 0x6b8 Thread: id = 539 os_tid = 0x6c8 Thread: id = 540 os_tid = 0x6d8 Thread: id = 541 os_tid = 0x6e0 Thread: id = 542 os_tid = 0x6ec Thread: id = 543 os_tid = 0x6f4 Thread: id = 544 os_tid = 0x60 Thread: id = 545 os_tid = 0x20 Thread: id = 546 os_tid = 0x448 Thread: id = 547 os_tid = 0x1c Thread: id = 548 os_tid = 0x788 Thread: id = 549 os_tid = 0x444 Thread: id = 550 os_tid = 0x790 Thread: id = 551 os_tid = 0x0 [0221.510] ExQueueWorkItem (in: WorkItem=0xfffffa80019a648b*(List.Flink=0x0, List.Blink=0x0, WorkerRoutine=0xfffffa80019ab070, Parameter=0xfffffa80019a624b), QueueType=0x1 | out: WorkItem=0xfffffa80019a648b*(List.Flink=0x0, List.Blink=0x0, WorkerRoutine=0xfffffa80019ab070, Parameter=0xfffffa80019a624b)) [0233.281] ExQueueWorkItem (in: WorkItem=0xfffffa800196c29b*(List.Flink=0x0, List.Blink=0x0, WorkerRoutine=0xfffffa8001970e80, Parameter=0xfffffa800196c05b), QueueType=0x1 | out: WorkItem=0xfffffa800196c29b*(List.Flink=0x0, List.Blink=0x0, WorkerRoutine=0xfffffa8001970e80, Parameter=0xfffffa800196c05b)) Thread: id = 552 os_tid = 0x7e0 Thread: id = 553 os_tid = 0x4fc Thread: id = 554 os_tid = 0x4f4 Thread: id = 555 os_tid = 0x410 Process: id = "33" image_name = "ose.exe" filename = "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe" page_root = "0x76806000" os_pid = "0x610" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "modified_file" parent_id = "2" os_parent_pid = "0x954" cmd_line = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE\"" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 3766 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3767 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3768 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3769 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 3770 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 3771 start_va = 0xd0000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 3772 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 3773 start_va = 0xce0000 end_va = 0xd02fff entry_point = 0xce0000 region_type = mapped_file name = "ose.exe" filename = "\\Program Files\\Common Files\\Microsoft Shared\\Source Engine\\OSE.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\source engine\\ose.exe") Region: id = 3774 start_va = 0x778d0000 end_va = 0x77a78fff entry_point = 0x778d0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3775 start_va = 0x77ab0000 end_va = 0x77c2ffff entry_point = 0x77ab0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3776 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 3777 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 3778 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 3779 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 3780 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3781 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3782 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Thread: id = 536 os_tid = 0x614